CVE-2022-39284: Cookie Helper — CodeIgniter 4.2.7 documentation

CodeIgniter

The Cookie Helper file contains functions that assist in working with cookies.

• Loading this Helper
• Available Functions

Loading this Helper

This helper is loaded using the following code:

Available Functions

The following functions are available:

set_cookie($name[, $value = ‘’[, $expire = ‘’[, $domain = ‘’[, $path = ‘/’[, $prefix = ‘’[, $secure = false[, $httpOnly = false[, $sameSite = ‘’]]]]]]]])

Parameters:

• $name (mixed) – Cookie name or associative array of all of the parameters available to this function
• $value (string) – Cookie value
• $expire (int) – Number of seconds until expiration
• $domain (string) – Cookie domain (usually: .yourdomain.com)
• $path (string) – Cookie path
• $prefix (string) – Cookie name prefix. If '’, the default from app/Config/Cookie.php is used
• $secure (bool) – Whether to only send the cookie through HTTPS. If null, the default from app/Config/Cookie.php is used
• $httpOnly (bool) – Whether to hide the cookie from JavaScript. If null, the default from app/Config/Cookie.php is used
• $sameSite (string) – The value for the SameSite cookie parameter. If null, the default from app/Config/Cookie.php is used

Return type:

void

Note

Prior to v4.2.7, the default values of $secure and $httpOnly were false due to a bug, and these values from app/Config/Cookie.php were never used.

This helper function gives you friendlier syntax to set browser cookies. Refer to the Response Library for a description of its use, as this function is an alias for CodeIgniter\HTTP\Response::setCookie().

get_cookie($index[, $xssClean = false[, $prefix = ‘’]])

Parameters:

• $index (string) – Cookie name
• $xssClean (bool) – Whether to apply XSS filtering to the returned value
• $prefix (string|null) – Cookie name prefix. If set to '’, the default value from app/Config/Cookie.php will be used. If set to null, no prefix

Returns:

The cookie value or null if not found

Return type:

mixed

Note

Since v4.2.1, the third parameter $prefix has been introduced and the behavior has been changed a bit due to a bug fix. See Upgrading for details.

This helper function gives you friendlier syntax to get browser cookies. Refer to the IncomingRequest Library for detailed description of its use, as this function acts very similarly to IncomingRequest::getCookie(), except it will also prepend the Config\Cookie::$prefix that you might’ve set in your app/Config/Cookie.php file.

Warning

Using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using esc() with the correct $context in the views is recommended.

delete_cookie($name[, $domain = ‘’[, $path = ‘/’[, $prefix = ‘’]]])

Parameters:

• $name (string) – Cookie name
• $domain (string) – Cookie domain (usually: .yourdomain.com)
• $path (string) – Cookie path
• $prefix (string) – Cookie name prefix

Return type:

void

Lets you delete a cookie. Unless you’ve set a custom path or other values, only the name of the cookie is needed.

<?php

delete_cookie(‘name’);

This function is otherwise identical to set_cookie(), except that it does not have the value and expire parameters.

Note

When you use set_cookie(), if the value is set to empty string and the expire is set to 0, the cookie will be deleted. If the value is set to non-empty string and the expire is set to 0, the cookie will only last as long as the browser is open.

You can submit an array of values in the first parameter or you can set discrete parameters.

<?php

delete_cookie($name, $domain, $path, $prefix);

has_cookie(string $name[, ?string $value = null[, string $prefix = ‘’]])

Parameters:

• $name (string) – Cookie name
• $value (string|null) – Cookie value
• $prefix (string) – Cookie prefix

Return type:

bool

Checks if a cookie exists by name. This is an alias of Response::hasCookie().