Skip to content

Commit

Permalink
[SECURITY] Make InstallTool session cookie HTTP-only
Browse files Browse the repository at this point in the history 
Resolves: #86955
Releases: master, 8.7, 7.6
Security-Commit: d251175e031aaa9943f93f5e5297f5490b99e513
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: Ia50cac61ee2d649e98cba2102162c1360487bb20
Reviewed-on: https://review.typo3.org/59103
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@andreaswolf @ohader
andreaswolf authored and ohader committed Dec 11, 2018
1 parent 1c85fe7 commit 13328b0
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions typo3/sysext/install/Classes/Service/SessionService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ public function __construct()
session_set_save_handler([$this, 'open'], [$this, 'close'], [$this, 'read'], [$this, 'write'], [$this, 'destroy'], [$this, 'gc']);
session_save_path($sessionSavePath);
session_name($this->cookieName);
ini_set('session.cookie_httponly', true);
ini_set('session.cookie_path', (string)GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
// Always call the garbage collector to clean up stale session files
ini_set('session.gc_probability', (string)100);
Expand Down

0 comments on commit 13328b0

Please sign in to comment.