| Summary | HttpOnly cookies |
| Queue | Horde Base |
| Queue Version | Git master |
| Type | Enhancement |
| State | Resolved |
| Priority | 1. Low |
| Owners | slusarz (at) horde (dot) org |
| Requester | chuck (at) horde (dot) org |
| Created | 06/02/2008 (6263 days ago) |
| Due | |
| Updated | 11/30/2012 (4621 days ago) |
| Assigned | 09/22/2008 (6151 days ago) |
| Resolved | 11/30/2012 (4621 days ago) |
| Milestone | |
| Patch | Yes |
Assigned to Michael Slusarz
Taken from
State ⇒ Resolved
Version ⇒ Git master
State ⇒ Assigned
Assigned to
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
setcookie()-calls in Horde itself. However I did not check all
applications, but I found one in imp/static/redirect.php.
Even if ini_set('session.cookie_httponly', 1) would be possible (->
lib/core.php ?), I would discourage from doing so - there could be
apps requiring JS-accessible Cookies not expecting such setting.
New Attachment: cookie_httpOnly.FRAMEWORK_3.patch
this patch would fit to current CVS and also checks for PHP 5.2 before
setting "http only".
Cheers,
Thomas
New Attachment: cookie_httpOnly.trunk.patch
Regards,
Thomas Gelf
State ⇒ Feedback
Patch ⇒ Yes
I'm pretty sure there are more places where we use setcookie().
New Attachment: horde_cookie_httponly.patch
patch. YES, I know that there exists a shorter way to write this
small piece of code, feel free to do so ;-)
However: the patch shows where changes need to be applied and also
shows PHP version requirements that should be checked.
Cheers,
Thomas Gelf
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ HttpOnly cookies
Queue ⇒ Horde Base
Milestone ⇒
Patch ⇒ No
State ⇒ Accepted
when we have disabled URL-based sessions.