HttpResponse->setCookie VS setcookie and problem with $httpOnly

Notice: This thread is very old.
12 years ago
chemix
Nette Core | 1310
+
0
-

Hi,

i found problem with settings cookie ( whitout httpOnly param )

if i have this code

// TEST
$httpResponse = $this->context->httpResponse;
// setCookie($name, $value, $time, $path = NULL, $domain = NULL, $secure = NULL, $httpOnly = NULL)
$httpResponse->setCookie('test_1', true, '0');
$httpResponse->setCookie('test_2', true, '0', NULL, NULL, NULL, false);

setcookie('test_3', true, 0);
setcookie('test_4', true, 0, '/', 'tond.l', false, true);
setcookie('test_5', true, 0, NULL, NULL, NULL, NULL);
setcookie('test_6', true, 0, NULL, NULL, NULL, true);

result in browser is

my prediction is that test_1 is not httpOnly, but… ?

HTTP Response

X-Powered-By: Nette Framework
Content-Type: text/html; charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=29cec31c3a359060eacbd3d2b3be91ca; expires=Thu, 05-Jul-2012 14:52:34 GMT; path=/; httponly
Set-Cookie: nette-browser=v90ey2i6vh; path=/; httponly
Set-Cookie: test_1=1; path=/; httponly
Set-Cookie: test_2=1; path=/

Server:

PHP 5.3.1
Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_perl/2.0.4 Perl/v5.10.1
Nette Framework 2.0.3 (revision eb558ae released on 2012-04-04)
12 years ago
David Grudl
Nette Core | 8218
+
0
-

It is correct, httpOnly is by default. Due to security reasons.

12 years ago
chemix
Nette Core | 1310
+
0
-

Ok, but it's different behavior than setcookie() and in documentation is not mentioned

Only :
setCookie( string $name, string $value, string|integer|DateTime $time, string $path = NULL, string $domain = NULL, boolean $secure = NULL, boolean $httpOnly = NULL )