Skip to content

Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

Low
MGatner published GHSA-745p-r637-7vvp Oct 6, 2022

Package

composer codeigniter4/framework (Composer)

Affected versions

< 4.2.7

Patched versions

4.2.7

Description

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

Note
This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

  1. Specify the options explicitly.
    helper('cookie');
    
    $cookie = [
        'name'     => $name,
        'value'    => $value,
        'secure'   => true,
        'httponly' => true,
    ];
    set_cookie($cookie);
    // or
    $this->response->setCookie($cookie);
  2. Use Cookie object.
    use CodeIgniter\Cookie\Cookie;
    
    helper('cookie');
    
    $cookie = new Cookie($name, $value);
    set_cookie($cookie);
    // or
    $this->response->setCookie($cookie);

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-39284

Weaknesses