Merge pull request #3505 from halkyon/cookie_httponly

Cookies set via Cookie::set() are now HTTP only by default
This commit is contained in:
Simon Welsh 2014-09-24 15:49:32 +10:00
commit 7e58bbf6ce
2 changed files with 10 additions and 2 deletions

View File

@ -39,7 +39,7 @@ class Cookie {
* @param boolean $httpOnly See http://php.net/set_session
*/
public static function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false,
$httpOnly = false
$httpOnly = true
) {
return self::get_inst()->inst_set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
}
@ -93,7 +93,7 @@ class Cookie {
* @param boolean $httpOnly See http://php.net/set_session
*/
protected function inst_set($name, $value, $expiry = 90, $path = null,
$domain = null, $secure = false, $httpOnly = false
$domain = null, $secure = false, $httpOnly = true
) {
if(!headers_sent($file, $line)) {
$expiry = $expiry > 0 ? time()+(86400*$expiry) : $expiry;

View File

@ -111,6 +111,14 @@ If you have existing users with `Member.DateFormat` set to a format
including "MMM" or "MMMM", consider deleting those formats to fall back to
the global (and more stable) default.
### Cookies set via Cookie::set() are now HTTP only by default
Cookies set through `Cookie::set()` now default to "HTTP only". This means that scripting
languages like JavaScript won't be able to read them.
To set it back to be non-HTTP only, you need to set the `$httpOnly` argument to false when calling
`Cookie::set()`.
### Bugfixes
* Migration of code to use new parameterised framework