Summary | HttpOnly cookies |
Queue | Horde Base |
Queue Version | Git master |
Type | Enhancement |
State | Resolved |
Priority | 1. Low |
Owners | slusarz (at) horde (dot) org |
Requester | chuck (at) horde (dot) org |
Created | 06/02/2008 (6242 days ago) |
Due | |
Updated | 11/30/2012 (4600 days ago) |
Assigned | 09/22/2008 (6130 days ago) |
Resolved | 11/30/2012 (4600 days ago) |
Milestone | |
Patch | Yes |
Assigned to Michael Slusarz
Taken from
State ⇒ Resolved
Version ⇒ Git master
State ⇒ Assigned
Assigned to
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
setcookie()-calls in Horde itself. However I did not check all
applications, but I found one in imp/static/redirect.php.
Even if ini_set('session.cookie_httponly', 1) would be possible (->
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
New Attachment: cookie_httpOnly.FRAMEWORK_3.patch
this patch would fit to current CVS and also checks for PHP 5.2 before
setting "http only".
Cheers,
Thomas
New Attachment: cookie_httpOnly.trunk.patch
Regards,
Thomas Gelf
State ⇒ Feedback
Patch ⇒ Yes
I'm pretty sure there are more places where we use setcookie().
New Attachment: horde_cookie_httponly.patch
patch. YES, I know that there exists a shorter way to write this
small piece of code, feel free to do so ;-)
However: the patch shows where changes need to be applied and also
shows PHP version requirements that should be checked.
Cheers,
Thomas Gelf
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ HttpOnly cookies
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
State ⇒ Accepted
when we have disabled URL-based sessions.