• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug  HttpOnly?

#1
Hello

Why is HttpOnly send lower-case (httponly) and not as HttpOnly?
This is an issue for us as our framework is ignoring lowercase httponly cookies as "not well formatted"

Thanks

James
 
#3
Thanks for the reply.

Is there any way to disable httponly using config.php?
Something like
$config['cookie']['httponly'] = 'false';
Found a way to disable it direct in the code (setcookie in session.php), but it would be nice if there would be a way directly in the config file
thanks
 

Mike

XenForo developer
Staff member
#4
I think you'll have to continue with code changes for it - it's a reasonable security feature so I don't see any reason to allow it to be disabled. You'd run into your issue with any PHP app that uses it (that doesn't write its own cookie sending function).