From 563155391f02dca5017dfc2a967eb1e93f0f1014 Mon Sep 17 00:00:00 2001
From: Sean Harvey <sean@silverstripe.com>
Date: Wed, 24 Sep 2014 17:38:09 +1200
Subject: [PATCH] API Cookies set via Cookie::set() are now HTTP only by
 default

---
 control/Cookie.php          | 4 ++--
 docs/en/changelogs/3.2.0.md | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/control/Cookie.php b/control/Cookie.php
index a1f3b1590..8c0adf388 100644
--- a/control/Cookie.php
+++ b/control/Cookie.php
@@ -39,7 +39,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	public static function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false,
-		$httpOnly = false
+		$httpOnly = true
 	) {
 		return self::get_inst()->inst_set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
 	}
@@ -93,7 +93,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	protected function inst_set($name, $value, $expiry = 90, $path = null,
-		$domain = null, $secure = false, $httpOnly = false
+		$domain = null, $secure = false, $httpOnly = true
 	) {
 		if(!headers_sent($file, $line)) {
 			$expiry = $expiry > 0 ? time()+(86400*$expiry) : $expiry;
diff --git a/docs/en/changelogs/3.2.0.md b/docs/en/changelogs/3.2.0.md
index 4792e506e..e2524a987 100644
--- a/docs/en/changelogs/3.2.0.md
+++ b/docs/en/changelogs/3.2.0.md
@@ -111,6 +111,14 @@ If you have existing users with `Member.DateFormat` set to a format
 including "MMM" or "MMMM", consider deleting those formats to fall back to
 the global (and more stable) default.
 
+### Cookies set via Cookie::set() are now HTTP only by default
+
+Cookies set through `Cookie::set()` now default to "HTTP only". This means that scripting
+languages like JavaScript won't be able to read them.
+
+To set it back to be non-HTTP only, you need to set the `$httpOnly` argument to false when calling
+`Cookie::set()`.
+
 ### Bugfixes
  * Migration of code to use new parameterised framework