A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.

Members fund testing for the Drupal project. Drupal Association Learn more


w00f’s picture

w00f’s picture

mikeytown2’s picture

will the ajax method still work with this patch?

neilnz’s picture

Version: 6.x-2.0-beta1 » 6.x-2.x-dev
1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?