Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

> Note
> This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

1. Specify the options explicitly.

   helper('cookie');
   
   $cookie = [
       'name'     => $name,
       'value'    => $value,
       'secure'   => true,
       'httponly' => true,
   ];
   set_cookie($cookie);
   // or
   $this->response->setCookie($cookie);
   

2. Use Cookie object.

   use CodeIgniter\Cookie\Cookie;
   
   helper('cookie');
   
   $cookie = new Cookie($name, $value);
   set_cookie($cookie);
   // or
   $this->response->setCookie($cookie);
   

References

• https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
• https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie

For more information

If you have any questions or comments about this advisory:

• Open an issue in codeigniter4/CodeIgniter4
• Email us at SECURITY.md