Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FEATURE] Enable secure cookies by default
The option $TYPO3_CONF_VARS[SYS][cookieSecure] is removed in favor of always setting a secure cookie on HTTPS requests. This leads to errors when a page would be available in HTTP and HTTPS which is normally not the case when using a full site base in Site Handling anymore, and making TYPO3 more secure out-of-the-box. Resolves: #87301 Releases: master Change-Id: Iba90c19456af6a82feb9c53fea52228fbff516be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65695 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Frank Nägler <frank.naegler@typo3.org> Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Frank Nägler <frank.naegler@typo3.org> Reviewed-by: Jörg Bösche <typo3@joergboesche.de> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Benni Mack <benni@typo3.org>
- Loading branch information
Showing
7 changed files
with
54 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 33 additions & 0 deletions
33
.../Documentation/Changelog/master/Feature-87301-SecureCookiesEnabledByDefault.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
.. include:: ../../Includes.txt | ||
|
||
=================================================== | ||
Feature: #87301 - Secure cookies enabled by default | ||
=================================================== | ||
|
||
See :issue:`87301` | ||
|
||
Description | ||
=========== | ||
|
||
In previous TYPO3 installations there was a option to define | ||
whether a cookie was shared between HTTP and HTTPS requests. | ||
|
||
This allowed to have the same cookie available for HTTPS and non-HTTPS, when a site was available on both ports / protocols. | ||
|
||
In order to enhance security, the option is removed and the feature | ||
provides sensible defaults in the current state of the web, where | ||
it is recommended to run sites with HTTPS, or if this is not possible | ||
to use HTTP, but not using a mixed mode, which also has SEO downsides. | ||
|
||
|
||
Impact | ||
====== | ||
|
||
The new defaults are: | ||
|
||
* If a website is running on HTTPS, the cookie is only exposed via HTTPS. | ||
* If a website is running on HTTP, the cookie is available for HTTPS as well, but not vice-versa. | ||
|
||
The TYPO3 Configuration option `$TYPO3_CONF_VARS[SYS][cookieSecure]` is removed when upgrading TYPO3 installations. | ||
|
||
.. index:: LocalConfiguration, ext:core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters