6.0.0-beta1
7/5/25

[#6821] HttpOnly cookies
Summary HttpOnly cookies
Queue Horde Base
Queue Version Git master
Type Enhancement
State Resolved
Priority 1. Low
Owners slusarz (at) horde (dot) org
Requester chuck (at) horde (dot) org
Created 06/02/2008 (6242 days ago)
Due
Updated 11/30/2012 (4600 days ago)
Assigned 09/22/2008 (6130 days ago)
Resolved 11/30/2012 (4600 days ago)
Milestone
Patch Yes

History
11/30/2012 05:38:23 AM Michael Slusarz Comment #9
Assigned to Michael Slusarz
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Version ⇒ Git master
Reply to this comment
This was done long ago.
09/22/2008 03:23:06 PM Jan Schneider Comment #8
State ⇒ Assigned
Assigned to Horde DevelopersHorde Developers
Reply to this comment
Even if ini_set('session.cookie_httponly', 1) would be possible (->
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
Makes sense.
09/22/2008 03:22:31 PM Jan Schneider Deleted Original Message
 
09/22/2008 01:43:16 PM thomas (at) gelf (dot) net Comment #7 Reply to this comment
One last note (regarding "other places"): didn't find other 
setcookie()-calls in Horde itself. However I did not check all 
applications, but I found one in imp/static/redirect.php.



Even if ini_set('session.cookie_httponly', 1) would be possible (-> 
lib/core.php ?), I would discourage from doing so - there could be 
apps requiring JS-accessible Cookies not expecting such setting.


09/22/2008 01:34:55 PM thomas (at) gelf (dot) net Comment #6
New Attachment: cookie_httpOnly.FRAMEWORK_3.patch Download
Reply to this comment
Don't know whether this will also make it into FRAMEWORK_3, eventually 
this patch would fit to current CVS and also checks for PHP 5.2 before 
setting "http only".



Cheers,

Thomas


09/22/2008 01:25:05 PM thomas (at) gelf (dot) net Comment #5
New Attachment: cookie_httpOnly.trunk.patch Download
Reply to this comment
Here you go, patch is against current trunk.



Regards,

Thomas Gelf


09/22/2008 12:27:00 PM Jan Schneider Comment #4 Reply to this comment
Are you going to provide an updated patch?
09/12/2008 04:06:54 PM Jan Schneider Comment #3
State ⇒ Feedback
Patch ⇒ Yes
Reply to this comment
CVS HEAD requires PHP 5.2, so you can remove the check completely. But 
I'm pretty sure there are more places where we use setcookie().
09/12/2008 03:54:21 PM thomas (at) gelf (dot) net Comment #2
New Attachment: horde_cookie_httponly.patch
Reply to this comment
Full ACK. As I really like the proposal I created a quick & dirty

patch. YES, I know that there exists a shorter way to write this

small piece of code, feel free to do so ;-)



However: the patch shows where changes need to be applied and also

shows PHP version requirements that should be checked.



Cheers,

Thomas Gelf


06/02/2008 08:53:46 PM Chuck Hagenbuch Comment #1
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ HttpOnly cookies
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
State ⇒ Accepted
Reply to this comment
We should set cookies with the httpOnly flag when PHP allows it and 
when we have disabled URL-based sessions.

Saved Queries