Merge pull request #3505 from halkyon/cookie_httponly

Cookies set via Cookie::set() are now HTTP only by default
2024-10-22 14:05:37 +02:00 · 2014-09-24 15:49:32 +10:00 · 2014-09-24 15:49:32 +10:00 · 7e58bbf6ce
commit 7e58bbf6ce
parent 4ba6d8153d 563155391f
2 changed files with 10 additions and 2 deletions
--- a/control/Cookie.php
+++ b/control/Cookie.php
@ -39,7 +39,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	public static function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false,
-		$httpOnly = false
+		$httpOnly = true
 	) {
 		return self::get_inst()->inst_set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
 	}
@ -93,7 +93,7 @@ class Cookie {
 	 * @param boolean $httpOnly See http://php.net/set_session
 	 */
 	protected function inst_set($name, $value, $expiry = 90, $path = null,
-		$domain = null, $secure = false, $httpOnly = false
+		$domain = null, $secure = false, $httpOnly = true
 	) {
 		if(!headers_sent($file, $line)) {
 			$expiry = $expiry > 0 ? time()+(86400*$expiry) : $expiry;
--- a/docs/en/changelogs/3.2.0.md
+++ b/docs/en/changelogs/3.2.0.md
@ -111,6 +111,14 @@ If you have existing users with `Member.DateFormat` set to a format
 including "MMM" or "MMMM", consider deleting those formats to fall back to
 the global (and more stable) default.

+### Cookies set via Cookie::set() are now HTTP only by default
+
+Cookies set through `Cookie::set()` now default to "HTTP only". This means that scripting
+languages like JavaScript won't be able to read them.
+
+To set it back to be non-HTTP only, you need to set the `$httpOnly` argument to false when calling
+`Cookie::set()`.
+
 ### Bugfixes
 * Migration of code to use new parameterised framework