-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for #7044: use secure cookie on HTTPS servers #7061
Conversation
Of the two testing instructions I personally could test the first one only as I have no HTTPS server at hand. |
As we do that for the other parameters, let's use a temp local variable for the last parameter too Made cookie expire time variable parameter name consistent with its definition
Code review looks fine, thanks! 👍 |
ignore me, it for different issue |
yes, httponly is a good security practice too, so javascript can't read the cookies. |
Personally I don't think this is necessary at all: in the worst case a minor data leak could happen ("someone" could know about your language preferences, and that's it). On the other hand I can envision a scenario where a legit JS could be willing to access the language cookie for good reasons, so for me it is... 👎 |
yes, agree |
Merged into |
… time variable parameter name consistent with its definition. Fixes joomla#7061.
Description
This should fix #7044 by using a secure cookie when the server is an HTTPS server.
Test instructions