diff --git a/control/Cookie.php b/control/Cookie.php index a1f3b1590..8c0adf388 100644 --- a/control/Cookie.php +++ b/control/Cookie.php @@ -39,7 +39,7 @@ class Cookie { * @param boolean $httpOnly See http://php.net/set_session */ public static function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false, - $httpOnly = false + $httpOnly = true ) { return self::get_inst()->inst_set($name, $value, $expiry, $path, $domain, $secure, $httpOnly); } @@ -93,7 +93,7 @@ class Cookie { * @param boolean $httpOnly See http://php.net/set_session */ protected function inst_set($name, $value, $expiry = 90, $path = null, - $domain = null, $secure = false, $httpOnly = false + $domain = null, $secure = false, $httpOnly = true ) { if(!headers_sent($file, $line)) { $expiry = $expiry > 0 ? time()+(86400*$expiry) : $expiry; diff --git a/docs/en/changelogs/3.2.0.md b/docs/en/changelogs/3.2.0.md index 4792e506e..e2524a987 100644 --- a/docs/en/changelogs/3.2.0.md +++ b/docs/en/changelogs/3.2.0.md @@ -111,6 +111,14 @@ If you have existing users with `Member.DateFormat` set to a format including "MMM" or "MMMM", consider deleting those formats to fall back to the global (and more stable) default. +### Cookies set via Cookie::set() are now HTTP only by default + +Cookies set through `Cookie::set()` now default to "HTTP only". This means that scripting +languages like JavaScript won't be able to read them. + +To set it back to be non-HTTP only, you need to set the `$httpOnly` argument to false when calling +`Cookie::set()`. + ### Bugfixes * Migration of code to use new parameterised framework