Bug: set_cookie not using default value of $secure from config

[hamzawain7]

PHP Version

7.4

CodeIgniter4 Version

4.2.6

CodeIgniter4 Installation Method

Manual (zip or tar.gz)

Which operating systems have you tested for this bug?

macOS

Which server did you use?

apache

Database

No response

What happened?

set_cookie function in Helpers/cookie_helper.php is not using the default value $secure i specified in app/Config/Cookie.php.

This used to work in CI3 because I think the default value of $secure param of set_cookie function used to be null which later on fallback to default.****

Steps to Reproduce

1. Set public $secure = true in /app/Config/Cookie.php'
2. Call the helper function set_cookie

        helper('cookie');
        set_cookie([
            'name' => 'pmw',
            'value' => 2,
            'samesite' => 'None',
        ]);

3. CookieException::forInvalidSameSiteNone() is thrown although $secure was suppose to be true

Expected Output

No exception

Anything else?

No response

[ddevsr]

You must set variable secure to true, by default function set_cookie secure = false

set_cookie([
         'name' => 'pmw',
         'value' => 2,
         'secure' => true,
         'samesite' => 'None',
]);

If you want create cookie with default config (see https://codeigniter.com/user_guide/libraries/cookies.html#creating-cookies) or you can using set_cookie helper

$cookieConfig = config('cookie');

 set_cookie([
           'name'     => 'pmw',
           'value'    => 2,
           'expire'   => $cookieConfig->expires,
           'domain'   => $cookieConfig->domain,
           'path'     => $cookieConfig->path,
           'prefix'   => $cookieConfig->prefix,
           'secure'   => $cookieConfig->secure,
           'httponly' => $cookieConfig->httponly,
           'samesite' => $cookieConfig->samesite,
]);

[hamzawain7]

set_cookie function uses new Cookie in its implementation which makes it get the default value of "domain", "samesite" and other non bool config values, but doesn't for "secure". Isn't that inconsistency? Won't it better for all of them to fallback to values in config?

[kenjis]

When constructing the Cookie object, only the name attribute is required. All other else are optional. If the optional attributes are not modified, their values will be filled up by the default values saved in the Cookie class. To override the defaults currently stored in the class, you can pass a Config\Cookie instance or an array of defaults to the static Cookie::setDefaults() method.
https://codeigniter4.github.io/CodeIgniter4/libraries/cookies.html#creating-cookies

Reading the user guide, I think the values in the Config file should be used for unspecified items.

[kenjis]

This used to work in CI3 because I think the default value of $secure param of set_cookie function used to be null which later on fallback to default.

Exactly.
https://github.com/bcit-ci/CodeIgniter/blob/9b8f2b7a8405acd1b8ad5956ada3d84472b1e8ae/system/helpers/cookie_helper.php#L71

Ref,

CodeIgniter4/system/Helpers/cookie_helper.php

Lines 39 to 49 in 354b43a

	function set_cookie(
	$name,
	string $value = '',
	string $expire = '',
	string $domain = '',
	string $path = '/',
	string $prefix = '',
	bool $secure = false,
	bool $httpOnly = false,
	?string $sameSite = null
	) {

[kenjis]

This seems the first commit: https://github.com/codeigniter4/CodeIgniter4/pull/241/files#diff-1ee301297e39aa12b421d2ad72d266269f4fc8fe56c01c366fbcdf16056a942dR82
However, no reason is given for the change in behavior from CI3.

[kenjis]

I sent a PR: #6544