Not a bug  HttpOnly?


Why is HttpOnly send lower-case (httponly) and not as HttpOnly?
This is an issue for us as our framework is ignoring lowercase httponly cookies as "not well formatted"


Thanks for the reply.

Is there any way to disable httponly using config.php?
Something like
$config['cookie']['httponly'] = 'false';
Found a way to disable it direct in the code (setcookie in session.php), but it would be nice if there would be a way directly in the config file


XenForo developer
Staff member
I think you'll have to continue with code changes for it - it's a reasonable security feature so I don't see any reason to allow it to be disabled. You'd run into your issue with any PHP app that uses it (that doesn't write its own cookie sending function).