1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not a Bug HttpOnly?

Discussion in 'Resolved Bug Reports' started by OhJames, May 23, 2011.

  1. OhJames

    OhJames New Member


    Why is HttpOnly send lower-case (httponly) and not as HttpOnly?
    This is an issue for us as our framework is ignoring lowercase httponly cookies as "not well formatted"


  2. Mike

    Mike XenForo Developer Staff Member

  3. OhJames

    OhJames New Member

    Thanks for the reply.

    Is there any way to disable httponly using config.php?
    Something like
    $config['cookie']['httponly'] = 'false';
    Found a way to disable it direct in the code (setcookie in session.php), but it would be nice if there would be a way directly in the config file
  4. Mike

    Mike XenForo Developer Staff Member

    I think you'll have to continue with code changes for it - it's a reasonable security feature so I don't see any reason to allow it to be disabled. You'd run into your issue with any PHP app that uses it (that doesn't write its own cookie sending function).

Share This Page