Merge pull request #3505 from halkyon/cookie_httponly

Cookies set via Cookie::set() are now HTTP only by default

control/Cookie.php

@@ -39,7 +39,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	public static function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false,
-		$httpOnly = false
+		$httpOnly = true
 	) {
 		return self::get_inst()->inst_set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
 	}
@@ -93,7 +93,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	protected function inst_set($name, $value, $expiry = 90, $path = null,
-		$domain = null, $secure = false, $httpOnly = false
+		$domain = null, $secure = false, $httpOnly = true
 	) {
 		if(!headers_sent($file, $line)) {
 			$expiry = $expiry > 0 ? time()+(86400*$expiry) : $expiry;

docs/en/changelogs/3.2.0.md

@@ -111,6 +111,14 @@ If you have existing users with `Member.DateFormat` set to a format
 including "MMM" or "MMMM", consider deleting those formats to fall back to
 the global (and more stable) default.
 
+### Cookies set via Cookie::set() are now HTTP only by default
+
+Cookies set through `Cookie::set()` now default to "HTTP only". This means that scripting
+languages like JavaScript won't be able to read them.
+
+To set it back to be non-HTTP only, you need to set the `$httpOnly` argument to false when calling
+`Cookie::set()`.
+
 ### Bugfixes
  * Migration of code to use new parameterised framework