Httponly Flag Not Working In Cdbhttpsession

arfeen · March 31, 2014, 10:39am

I’m trying to raise the flag of ‘httpOnly’ for ‘cookieParams’ property in ‘CDbHttpSession’ for session configurations. As described in Yii Documentation This flag is somehow not working and document.cookie in javascript is always able to show the cookie value.

Here is my array in main config:


'session'=>array(

            'class' => 'CDbHttpSession',

            'connectionID'=>'db', 

            'sessionTableName' => 'yiisession',

            'sessionName' => 'session_name',

            'timeout' => 24 * 3600,

            'autoStart'=>false,

            'cookieParams' => array(

                           'httpOnly'=>true,

                     ),

        ),

Is there anything I’m doing wrong here ?

Thank you

Keith · March 31, 2014, 10:43am

Variable names are case sensitive, so try using ‘httponly’:




'session'=>array(

            'class' => 'CDbHttpSession',

            'connectionID'=>'db', 

            'sessionTableName' => 'yiisession',

            'sessionName' => 'session_name',

            'timeout' => 24 * 3600,

            'autoStart'=>false,

            'cookieParams' => array(

                           'httponly'=>true,

                     ),

        ),

arfeen · March 31, 2014, 11:02am

I tried in small letters as well, but still document.cookie was able to show me complete values of cookie.

It it works, document.cookie should not display any cookie value. Am I right to understand this ?

Keith:

Variable names are case sensitive, so try using ‘httponly’:




'session'=>array(

            'class' => 'CDbHttpSession',

            'connectionID'=>'db', 

            'sessionTableName' => 'yiisession',

            'sessionName' => 'session_name',

            'timeout' => 24 * 3600,

            'autoStart'=>false,

            'cookieParams' => array(

                           'httponly'=>true,

                     ),

        ),

Keith · March 31, 2014, 11:05am

Have you ensured that you’ve cleared your cookies between attempts? You might be using one that was set while the attribute was specified incorrectly.

arfeen · March 31, 2014, 1:43pm

Yes Keith

I have already tried it also. Removed the cookies and retried. I even changed the session name to ensure the process. But still values are visible by document.cookie.

Keith · April 1, 2014, 8:06am

That’s interesting and sounds like it may be a bug in the Yii core. You can report it here if you’d like to help get it fixed.

arfeen · April 1, 2014, 8:19am

Deat Keith

I realized, there was a problem from my side. This indeed was a lower case problem but in my own main config and not the Yii core.

I apologize for the time wasted due to my silly mistake.

I have deleted my reply where I mentioned this as a Yii bug.

Thanks for your time.