Setting $secure
or $httponly
value to true
in Config\Cookie
is not reflected in set_cookie()
or Response::setCookie()
.
Note This vulnerability does not affect session cookies.
The following code does not issue a cookie with the secure flag even if you set $secure = true
in Config\Cookie
.
helper('cookie');
$cookie = [
'name' => $name,
'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);
Upgrade to v4.2.7 or later.
helper('cookie');
$cookie = [
'name' => $name,
'value' => $value,
'secure' => true,
'httponly' => true,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);
use CodeIgniter\Cookie\Cookie;
helper('cookie');
$cookie = new Cookie($name, $value);
set_cookie($cookie);
// or
$this->response->setCookie($cookie);
If you have any questions or comments about this advisory: * Open an issue in codeigniter4/CodeIgniter4 * Email us at SECURITY.md
{ "nvd_published_at": "2022-10-06T20:15:00Z", "cwe_ids": [ "CWE-665", "CWE-732" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-10-06T20:01:41Z" }