Commits

Anonymous committed 2733fc7

Adding config option to require 'secure' setting for all cookies- requires https.

Comments (0)

Files changed (4)

application/config/config.php

 | 'cookie_prefix' = Set a prefix if you need to avoid collisions
 | 'cookie_domain' = Set to .your-domain.com for site-wide cookies
 | 'cookie_path'   =  Typically will be a forward slash
+| 'cookie_secure' =  Cookies will only be set if a secure HTTPS connection exists.
 |
 */
 $config['cookie_prefix']	= "";
 $config['cookie_domain']	= "";
 $config['cookie_path']		= "/";
+$config['cookie_secure']	= FALSE;
 
 /*
 |--------------------------------------------------------------------------

system/core/Input.php

 				$expire = 0;
 			}
 		}
+		
+		$secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
 
-		setcookie($prefix.$name, $value, $expire, $path, $domain, 0);
+		setcookie($prefix.$name, $value, $expire, $path, $domain, $secure_cookie);
 	}
 
 	// --------------------------------------------------------------------

system/libraries/Session.php

 		}
 
 		$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();
+		
+		$secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
 
 		// Set the cookie
 		setcookie(
 					$expire,
 					$this->cookie_path,
 					$this->cookie_domain,
-					0
+					$secure_cookie
 				);
 	}
 

user_guide/changelog.html

 
 <h3>Bug Fixes for 2.0.1</h3>
 <ul>
+	<li>General changes
+		<ul>
+			<li>Added <kbd>$config['cookie_secure']</kbd> to the config file to allow requiring a secure (HTTPS) in order to set cookies.</li>
+		</ul>
+	</li>
 	<li>Libraries
 		<ul>
 			<li>Fixed a bug where the table class would not clear table data after calling generate().</li>