CHttpCookie httpOnly

How does one set the httpOnly parameter (of the ChttpCookie component) in main config, so that all cookies created by CHttpCookie are "http only"?

I’m using PHP 5.2 and I’ve tried with


'user'=>array(

	'allowAutoLogin'=>true,

	'identityCookie'=>array(

	'httpOnly'=>true,

    ),

),

but application still outputs the cookie information with js: alert(document.cookie)

You mean the CHttpCookie that is used for the session? You can alter these params like this:


'components'=>array(

        'session'=>array(

            'cookieParams' => array(

                'httpOnly'=>true,

            ),

        ),

It was my bad. I didn’t clear the old cookies properly.

My config:




...

'request'=>array(

	'enableCsrfValidation' => true,

	'enableCookieValidation'=>true,

	'csrfCookie'=>array(

		'httpOnly'=>true,

	),

),

	'session' => array(

		'cookieParams' => array(

			'httpOnly' => true,

		),

	),

...



It worked when I deleted/created the cookies.

I also didn’t want to allow PHPSESSID to be visible through javascript, but for this I had to go to php.ini and set the session.cookie_httponly to 1.

With this setting I’ve added another layer to my XSS shield. Plenty more to go. Thanks.

I found that the key had to be in lowercase i.e. httponly, not httpOnly




'session' => array(

                'cookieParams' => array(

                        'httponly' => true,

                ),



The Yii code which sets the cookie uses extract($value) to convert the array into variables, and it’s looking for $httponly

components’=>array(

    'session'=>array(


        'cookieParams' => array(


            'httpOnly'=>true,


        ),


    ),

when i am placing same code i m getting internal error 500

pls do needfull