Preserve HttpOnly value when deserializing a header

The specification states that the cookie should be considered http only if and only if the flag is present. See https://www.owasp.org/index.php/HttpOnly
2017-07-06 10:48:01 +02:00 · 2017-07-06 10:48:01 +02:00 · 73187d0003
commit 73187d0003
parent 48bb1953b9
3 changed files with 14 additions and 5 deletions
--- a/src/Symfony/Component/HttpFoundation/Cookie.php
+++ b/src/Symfony/Component/HttpFoundation/Cookie.php
@ -46,7 +46,7 @@ class Cookie
            'path' => '/',
            'domain' => null,
            'secure' => false,
-            'httponly' => true,
+            'httponly' => false,
            'raw' => !$decode,
            'samesite' => null,
        );
--- a/src/Symfony/Component/HttpFoundation/Tests/CookieTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/CookieTest.php
@ -200,6 +200,15 @@ class CookieTest extends TestCase
        $this->assertEquals(new Cookie('foo', 'bar', strtotime('Fri, 20-May-2011 15:25:52 GMT'), '/', '.myfoodomain.com', true, true, true), $cookie);

        $cookie = Cookie::fromString('foo=bar', true);
-        $this->assertEquals(new Cookie('foo', 'bar'), $cookie);
+        $this->assertEquals(new Cookie('foo', 'bar', 0, '/', null, false, false), $cookie);
+    }
+
+    public function testFromStringWithHttpOnly()
+    {
+        $cookie = Cookie::fromString('foo=bar; expires=Fri, 20-May-2011 15:25:52 GMT; path=/; domain=.myfoodomain.com; secure; httponly');
+        $this->assertTrue($cookie->isHttpOnly());
+
+        $cookie = Cookie::fromString('foo=bar; expires=Fri, 20-May-2011 15:25:52 GMT; path=/; domain=.myfoodomain.com; secure');
+        $this->assertFalse($cookie->isHttpOnly());
    }
 }
--- a/src/Symfony/Component/HttpFoundation/Tests/ResponseHeaderBagTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/ResponseHeaderBagTest.php
@ -241,12 +241,12 @@ class ResponseHeaderBagTest extends TestCase
    {
        $bag = new ResponseHeaderBag();
        $bag->set('set-cookie', 'foo=bar');
-        $this->assertEquals(array(new Cookie('foo', 'bar', 0, '/', null, false, true, true)), $bag->getCookies());
+        $this->assertEquals(array(new Cookie('foo', 'bar', 0, '/', null, false, false, true)), $bag->getCookies());

        $bag->set('set-cookie', 'foo2=bar2', false);
        $this->assertEquals(array(
-            new Cookie('foo', 'bar', 0, '/', null, false, true, true),
-            new Cookie('foo2', 'bar2', 0, '/', null, false, true, true),
+            new Cookie('foo', 'bar', 0, '/', null, false, false, true),
+            new Cookie('foo2', 'bar2', 0, '/', null, false, false, true),
        ), $bag->getCookies());

        $bag->remove('set-cookie');