void protectedCookie (
string | array $name
[, integer $mode = self::COOKIE_DEFAULT ]
)Configure which cookies SecureHeaders will regard as protected. SecureHeaders will consider substrings and names of cookies separately. By default, cookies that case insensitively match the following substrings or names will be regarded as protected.
sess
auth
login
csrf
xsrf
token
antiforgery
sid
s
persistent
If a cookie is protected, then cookie flags will be appended as
configured by ->auto. The default behaviour is to add Secure,
HttpOnly, and SameSite=Lax to ensure cookies are both sent securely,
out of the reach of JavaScript, and fairly resistant to csrf attacks.
The name (or substring of the name, depending on mode configuration), of the cookie to add/remove from the protection list (depending on mode configuration). Or a list of cookie names (or substrings of the name to match) as an array of strings.
mode accepts one or more of the following constants. Multiple
constants may be specified by combination using
bitwise operators
SecureHeaders::COOKIE_DEFAULT = ~SecureHeaders::COOKIE_REMOVE
& SecureHeaders::COOKIE_SUBSTRCOOKIE_DEFAULT enables not COOKIE_REMOVE (i.e. add the cookie to the list), and causes $name to refer to a cookie name substring (or substrings if an array is given).
SecureHeaders::COOKIE_NAMECOOKIE_NAME will add the string, or strings specified in $name to the list of (case insensitive) protected cookie names.
SecureHeaders::COOKIE_SUBSTRCOOKIE_SUBSTR will add the string, or strings specified in $name to the list of (case insensitive) protected cookie substrings (of the cookie name).
SecureHeaders::COOKIE_ALL = SecureHeaders::COOKIE_NAME
| SecureHeaders::COOKIE_SUBSTRCOOKIE_ALL will enable behaviours controlled by both COOKIE_NAME, AND COOKIE_SUBSTR
SecureHeaders::COOKIE_REMOVECOOKIE_REMOVE when combined with either COOKIE_NAME, COOKIE_SUBSTR or COOKIE_ALL will cause the string or strings specified in $name to be removed from the respective lists, if such entries exist.