A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.


w00f’s picture

w00f’s picture

mikeytown2’s picture

will the ajax method still work with this patch?

neilnz’s picture

Version: 6.x-2.0-beta1 » 6.x-2.x-dev
1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?