Hi Qiang,
I think it would be really useful to include support for the HttpOnly parameter in setcookie, which is available if PHP version > 5.2. This is where the change could be done:
protected function addCookie($cookie, $httponly=null) { $value=$cookie->value; if($this->_request->enableCookieValidation) $value=Yii::app()->getSecurityManager()->hashData($value); if ($httponly!==null && version_compare('5.2.0',PHP_VERSION,'>=')) setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure, $httponly===true?true:false); else setcookie($cookie->name,$value,$cookie->expire,$cookie->path,$cookie->domain,$cookie->secure); }
This is to mitigate the risk of XSS attacks.
References:
https://www.owasp.or…ex.php/HTTPOnly