[#6821] HttpOnly cookies
Summary HttpOnly cookies
Queue Horde Base
Queue Version HEAD
Type Enhancement
State Assigned
Priority 1. Low
Owners Horde Developers
Requester Chuck Hagenbuch <chuck (at) horde (dot) org>
Created 06/02/2008 (127 days ago)
Due
Updated 09/22/2008 (15 days ago)
Assigned 09/22/2008 (15 days ago)
Resolved
Attachments cookie_httpOnly.trunk.patch Download
cookie_httpOnly.FRAMEWORK_3.patch Download
Milestone
Patch Yes

History
09/22/2008 Jan Schneider Comment #8
State ⇒ Assigned
Assigned to Horde DevelopersHorde Developers		 Reply to this comment
Even if ini_set('session.cookie_httponly', 1) would be possible (->
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
Makes sense.
09/22/2008 Jan Schneider Deleted Attachment: horde_cookie_httponly.patch
 
09/22/2008 thomas (at) gelf (dot) net Comment #7 Reply to this comment
One last note (regarding "other places"): didn't find other 
setcookie()-calls in Horde itself. However I did not check all 
applications, but I found one in imp/static/redirect.php.

Even if ini_set('session.cookie_httponly', 1) would be possible (-> 
lib/core.php ?), I would discourage from doing so - there could be 
apps requiring JS-accessible Cookies not expecting such setting.

09/22/2008 thomas (at) gelf (dot) net Comment #6
New Attachment: cookie_httpOnly.FRAMEWORK_3.patch Download		 Reply to this comment
Don't know whether this will also make it into FRAMEWORK_3, eventually 
this patch would fit to current CVS and also checks for PHP 5.2 before 
setting "http only".

Cheers,
Thomas

09/22/2008 thomas (at) gelf (dot) net Comment #5
New Attachment: cookie_httpOnly.trunk.patch Download		 Reply to this comment
Here you go, patch is against current trunk.

Regards,
Thomas Gelf

09/22/2008 Jan Schneider Comment #4 Reply to this comment
Are you going to provide an updated patch?
09/12/2008 Jan Schneider Comment #3
Patch ⇒ 1
State ⇒ Feedback		 Reply to this comment
CVS HEAD requires PHP 5.2, so you can remove the check completely. But 
I'm pretty sure there are more places where we use setcookie().
09/12/2008 thomas (at) gelf (dot) net Comment #2
New Attachment: horde_cookie_httponly.patch		 Reply to this comment
Full ACK. As I really like the proposal I created a quick & dirty
patch. YES, I know that there exists a shorter way to write this
small piece of code, feel free to do so ;-)

However: the patch shows where changes need to be applied and also
shows PHP version requirements that should be checked.

Cheers,
Thomas Gelf

06/02/2008 Chuck Hagenbuch Comment #1
Patch ⇒
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ HttpOnly cookies
Type ⇒ Enhancement
Priority ⇒ 1. Low
State ⇒ Accepted		 Reply to this comment
We should set cookies with the httpOnly flag when PHP allows it and 
when we have disabled URL-based sessions.