A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.

Comments

w00f’s picture

w00f’s picture

mikeytown2’s picture

will the ajax method still work with this patch?

neilnz’s picture

Version:6.x-2.0-beta1» 6.x-2.x-dev
StatusFileSize
new1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?