Permalink
Browse files

I forgot the most important part! Enabling security flags on the cookie!

  Use the cookie_secure flag to prevent OWASP A9 violations when HTTPS is aviable
  Enable the httponly flag to prevent an attacker from obtaining the cookie with XSS.
  • Loading branch information...
1 parent 27d1e61 commit 804905facdade89e52cc6d1f6e4a854274daace7 @TheRook committed Oct 14, 2012
Showing with 9 additions and 7 deletions.
  1. +8 −6 application/config/config.php
  2. +1 −1 system/libraries/Session/drivers/Session_cookie.php
@@ -301,15 +301,17 @@
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path' = Typically will be a forward slash
-| 'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.
+| 'cookie_secure' = Transmit cookies over HTTPS (Prevents OWASP A9)
| 'cookie_httponly' = Cookie will only be accessible via HTTP(S) (no javascript)
|
*/
-$config['cookie_prefix'] = '';
-$config['cookie_domain'] = '';
-$config['cookie_path'] = '/';
-$config['cookie_secure'] = FALSE;
-$config['cookie_httponly'] = FALSE;
+$config['cookie_prefix'] = '';
+$config['cookie_domain'] = '';
+$config['cookie_path'] = '/';
+if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on"){
@padraic

padraic Feb 9, 2013

Need to also check for X-Forwarded-Proto since that will actually be set for Amazon Web Services, for example.

+ $config['cookie_secure'] = TRUE;
+}
+$config['cookie_httponly'] = TRUE;
/*
|--------------------------------------------------------------------------
@@ -127,7 +127,7 @@ class CI_Session_cookie extends CI_Session_driver {
*
* @var bool
*/
- public $cookie_httponly = FALSE;
+ public $cookie_httponly = TRUE;
/**
* Interval at which to update session

0 comments on commit 804905f

Please sign in to comment.