Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Teach MantisBT to bake tough cookies
The Secure cookie flag is now set for all cookies when the user is browsing via a TLS protected connection. Originally this flag was only set for the PHP session ID cookie. MantisBT now supports the HttpOnly cookie flag and will use it when possible (PHP 5.2.0 is required). This flag tells the client browser to deny Javascript access to the cookie (both reading and writing). As such, this flag is very useful in providing another layer of protection against XSS attacks. The gpc_set_cookie function has an additional parameter to disable the HttpOnly flag on a per-cookie basis. This parameter should be set to false when sending a cookie to the client that client-side Javascript needs to read or write. Fixes #10709,#10712
- Loading branch information
1 parent
2ad151c
commit 2a6892b
Showing
2 changed files
with
38 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters