Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

Note
This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

Specify the options explicitly.

helper('cookie');

$cookie = [
    'name'     => $name,
    'value'    => $value,
    'secure'   => true,
    'httponly' => true,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Use Cookie object.

use CodeIgniter\Cookie\Cookie;

helper('cookie');

$cookie = new Cookie($name, $value);
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

References

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

Severity

CVE ID

Weaknesses