Cphalcon: [BUG] httpOnly flag is ignored in set() for cookies

Created on 15 Aug 2018 · 5Comments · Source: phalcon/cphalcon

System:

$ phalcon info

Phalcon DevTools (3.4.0)

Environment:
  OS: Linux vmv 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
  PHP Version: 7.0.30-0+deb9u1
  PHP SAPI: cli
  PHP Bin: /usr/bin/php7.0
  PHP Extension Dir: /usr/lib/php/20151012
  PHP Bin Dir: /usr/bin
  Loaded PHP config: /etc/php/7.0/cli/php.ini
Versions:
  Phalcon DevTools Version: 3.4.0
  Phalcon Version: 3.4.0
  AdminLTE Version: 2.3.6

By default httpOnly seems to be active (see). In API documentation one can see, that with the last parameter of method set this flag can be set.
But, regardless of value I'm using, the cookie is sent with active httpOnly to browser, always.

Ex. in controller:

$this->cookies->set(
    'uid', // name
    $id, // value
    time() + 86400, // expire
    '/', // path
    false, // secure
    $domain, // domain
    false // http only
);

The only way I get httpOnly removed is by calling following statements right after set():

$cookie = $this->cookies->get('uid');
$cookie->setHttpOnly(false);

So the flag in set() seems to be ignored (all other parameters are working correctly, only httpOnly is set to true always). That's not very comfortable. This is urgent to me, so to be sure I fall back to native setcookie() now.
What I do not understand is, that the flag httpOnly is optional and declared with null when calling set(). But as property in class Cookie it's initialized with true, see here.

Source

mohahn

Most helpful comment

Thsi has been resolved

niden on 25 Jan 2019

👍4

All 5 comments

    /**
     * Returns if the cookie is accessible only through the HTTP protocol
     */
public function getHttpOnly() -> boolean

what do you get when you invoke this method?

It is clear that default property value is set to true:
protected _httpOnly = true;

as you already outlined.

So $cookie->setHttpOnly(false); seems like a solution to the problem, if this is a problem at all.

stamster on 20 Aug 2018

I'm executing the following code

$this->cookies->set(
    'uid', // name
    $id, // value
    time() + 86400, // expire
    '/', // path
    false, // secure
    $domain, // domain
    false // http only
);
$check = $this->cookies->get('uid');
var_dump($check->getHttpOnly());

which gives me true. Seems like an internal bug.
BTW: It's a feature request, but I don't think it's correct to enable httpOnly as default, when native PHP function setcookie expects this parameter as NULL if not set.

mohahn on 20 Aug 2018

👍1

I have the same issue! Phalcon version 3.4.1 (migrated from 3.3.x).
So, our application sets a cookie at the backend, but frontend (JS) cannot get it because it has flag HttpOnly.
Pls, fix this.

avionwd on 16 Oct 2018

👍1

I have the same. Strange, because source code looks like right.

class ExtraCookie extends \Phalcon\Http\Cookie
{
    public function __construct($name, $value = null, $expire = 0, $path = "/", $secure = null, $domain = null, $httpOnly = null)
    {
        parent::__construct($name, $value, $expire, $path, $secure, $domain, $httpOnly);

        var_dump($httpOnly);
        var_dump($this->_httpOnly);
    }
}

$cookie = new ExtraCookie('test-cookie', 'some value', time() + 8400, '/', false, null, false);