Add option to make CSRF Token HttpOnly.

This option lets users opt-in to http only cookies for CSRF tokens, this is useful when you have no client-side scripting that needs a CSRF token. Refs #7727
cakephp · Nov 26, 2015 · f7f5e21 · f7f5e21
1 parent 238b053
commit f7f5e21
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
@@ -46,6 +46,7 @@ class CsrfComponent extends Component
      *  - cookieName = The name of the cookie to send.
      *  - expiry = How long the CSRF token should last. Defaults to browser session.
      *  - secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
+     *  - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
      *  - field = The form field to check. Changing this will also require configuring
      *    FormHelper.
      *
@@ -55,6 +56,7 @@ class CsrfComponent extends Component
         'cookieName' => 'csrfToken',
         'expiry' => 0,
         'secure' => false,
+        'httpOnly' => false,
         'field' => '_csrfToken',
     ];
 
@@ -132,6 +134,7 @@ protected function _setCookie(Request $request, Response $response)
             'expire' => $expiry->format('U'),
             'path' => $request->webroot,
             'secure' => $this->_config['secure'],
+            'httpOnly' => $this->_config['httpOnly'],
         ]);
     }
 

diff --git a/tests/TestCase/Controller/Component/CsrfComponentTest.php b/tests/TestCase/Controller/Component/CsrfComponentTest.php
@@ -265,7 +265,8 @@ public function testConfigurationCookieCreate()
         $component = new CsrfComponent($this->registry, [
             'cookieName' => 'token',
             'expiry' => '+1 hour',
-            'secure' => true
+            'secure' => true,
+            'httpOnly' => true
         ]);
 
         $event = new Event('Controller.startup', $controller);
@@ -278,6 +279,7 @@ public function testConfigurationCookieCreate()
         $this->assertWithinRange((new Time('+1 hour'))->format('U'), $cookie['expire'], 1, 'session duration.');
         $this->assertEquals('/dir/', $cookie['path'], 'session path.');
         $this->assertTrue($cookie['secure'], 'cookie security flag missing');
+        $this->assertTrue($cookie['httpOnly'], 'cookie httpOnly flag missing');
     }
 
     /**