Not a bug HttpOnly?

[OhJames]

Hello

Why is HttpOnly send lower-case (httponly) and not as HttpOnly?
This is an issue for us as our framework is ignoring lowercase httponly cookies as "not well formatted"

Thanks

James

 

[Mike]

That's how PHP sends cookies: http://lxr.php.net/opengrok/xref/PHP_5_3/ext/standard/head.c

Regardless, it should be noted that in the relevant RFCs, cookie attributes are considered to be case insensitive:
http://tools.ietf.org/html/rfc2109
http://www.rfc-editor.org/rfc/rfc6265.txt

 

[OhJames]

Thanks for the reply.

Is there any way to disable httponly using config.php?
Something like
$config['cookie']['httponly'] = 'false';
Found a way to disable it direct in the code (setcookie in session.php), but it would be nice if there would be a way directly in the config file
thanks

 

[Mike]

I think you'll have to continue with code changes for it - it's a reasonable security feature so I don't see any reason to allow it to be disabled. You'd run into your issue with any PHP app that uses it (that doesn't write its own cookie sending function).