CVE-2022-39284: Config\Cookie Secure or HttpOnly flag not set in CodeIgniter4

Description Impact Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie(). Note This vulnerability does not affect session cookies. The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie. helper(‘cookie’); $cookie = [ ‘name’ => $name, ‘value’ => $value, ]; set_cookie($cookie); // or $this->response->setCookie($cookie); Patches Upgrade to v4.2.7 or later. Workarounds Specify the options explicitly. helper(‘cookie’); $cookie = [ ‘name’ => $name, ‘value’ => $value, ‘secure’ => true, ‘httponly’ => true, ]; set_cookie($cookie); // or $this->response->setCookie($cookie); Use Cookie object. use CodeIgniter\Cookie\Cookie; helper(‘cookie’); $cookie = new Cookie($name, $value); set_cookie($cookie); // or $this->response->setCookie($cookie); References https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md