Skip to content

Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

Low
MGatner published GHSA-745p-r637-7vvp Oct 6, 2022

Package

composer codeigniter4/framework (Composer)

Affected versions

< 4.2.7

Patched versions

4.2.7

Description

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

Note
This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

  1. Specify the options explicitly. 
    helper('cookie');

$cookie = [
    'name'     => $name,
    'value'    => $value,
    'secure'   => true,
    'httponly' => true,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);
  2. Use Cookie object. 
    use CodeIgniter\Cookie\Cookie;

helper('cookie');

$cookie = new Cookie($name, $value);
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-39284

Weaknesses

Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. Learn more on MITRE.