set cookieHTTPOnly not work

[perspolise]

I set cookieHTTPOnly to false like this:

public $cookieHTTPOnly = false;

but in action not work:

[crustamet]

Yes i agree, i saw in the session class that when it sets the cookie does not include this config option

protected function setCookie()
{
	setcookie(
			$this->sessionCookieName, session_id(), (empty($this->sessionExpiration) ? 0 : time() + $this->sessionExpiration), $this->cookiePath, $this->cookieDomain, $this->cookieSecure, true
	);
}

So its always TRUE

and i also see a comment there saying

$this->sessionExpiration, $this->cookiePath, $this->cookieDomain, $this->cookieSecure, true 
// HTTP only; Yes, this is intentional and not configurable for security reasons.

And of course it is a security issue because anyone with javascript knowledge can hack you app by creating random cookies to login without any post requests..

May i ask, why you want to do this ?

[crustamet]

By the way if your doing what i think your trying to do you can always set another cookie via cookie helper

with that option being off.

set_cookie();

[lonnieezell]

That param should only be ignored for the session. If you do it via the cookie_helper, it should apply.

@perspolise please provide a code example and a better explanation for context so we can actually debug.

[perspolise]

@lonnieezell : ie: I check for default cookie config in app->config->app.php and change to false:

public $cookieHTTPOnly = false;

this not work and u can see always: cookie HttpOnly flag is true.

[perspolise]

@crustamet

And of course it is a security issue because anyone with javascript knowledge can hack you app by creating random cookies to login without any post requests..

May i ask, why you want to do this ?

Security Is First. But for example: Codeigniter have a big problem with regenerate csrf token(public $CSRFRegenerate = true;) and ajax post. in action for each post form data and refresh page, codeigniter generate new csrf token(is important and good for more security) but for ajax post data codeigniter not have good solution for fix this problem. in laravel u can see this solution.

for example: in action for fix csrf regenerate token, if I set HttpOnly to false, I can get csrf token using javascript Cookie and fix regenerate csrf token in ajax post. Or another way I can disable CSRFRegenerate to false.

[lonnieezell]

@perspolise We also set that header. I believe we provide a similar solution to Laravel in that respect but I don't recall all of the details of that PR. However, the big question is: what does that have to do with HTTPOnly on cookies? I'm confused.

Additionally, you never provided where/how you check the value of that cookie, or an example we can recreate. I believe the only place it's used is in the Response class where it pulls it from the config and then later when it allows your config file setting to override the value in setCookie().

[perspolise]

@lonnieezell

what does that have to do with HTTPOnly on cookies?

in this case:

in action for fix csrf regenerate token, if I set HttpOnly to false, I can get csrf token using javascript/jquery(Cookie plugin for get csrf token) and fix regenerate csrf token in ajax post.

[lonnieezell]

Ah, you were pointing to example where they were using a header so I was missing the connection. Or I skimmed the solution too quickly :)

Either way, if there's an underlying issue with httponly value not being able to be changed then it definitely needs addressed. With the exception of session cookies, all others should currently respect the value you use when you specify it with set_cookie() helper method, or on the response directly.

Can you provide an example (in code) where this isn't working?

[perspolise]

@lonnieezell

Can you provide an example (in code) where this isn't working?

var csrf_token = document.querySelector('meta[name="X-CSRF-TOKEN"]').getAttribute('content');
$("selector").select2({
            minimumInputLength: 3,
            theme: 'bootstrap4',
            width: 'auto',
            ajax: {
                url: "<?= route_to('autocomplete'); ?>",
                type: "post",
                dataType: 'json',
                delay: 250,
                data: function(params) {
                    return {
                        searchTerm: params.term,
                        csrf_token: csrf_token
                    };
                },
                processResults: function(response) {
                    return {
                        results: response
                    };
                },
                cache: true
            }
        });

in my code, first post data is ok, but in second i see error 403. another example: search, sort and ... in datatables plugin and much more js code(ajax post method).

[lonnieezell]

@perspolise This doesn't prove that cookies.HTTPOnly doesn't work, and, unless my coffee hasn't kicked in yet, doesn't deal with cookies at all. This is related to CSRF and AJAX, which you will find a number of posts on the forum. Please check there, and ask if you need help. There are many willing to help out there.

Since this doesn't appear to be a bug, I'm closing this issue.