Feeling Lucky
?
[#4153] - Session cookie flags update ("secure" and "httpOnly" added where missing)
- Closed
- 1 Jan 2015
- Medium
- Build: 2.5.x
- # 4153
- Diff
- Joey3000:2.5.x
User tests: Successful: Unsuccessful:
Steps to reproduce the issue
- Using a tool which is able to display the "httpOnly" flag of a received cookie (an intercepting proxy or the Firebug Firefox add-on (I assume; the built-in Firefox console can't)), log-in and log-out of a site's back-end.
Expected result
- Both, the session cookie is "set" and "delete" requests received as part of the server response have the "httpOnly" flag set.
Actual result
- The "httpOnly" flag is not set.
System information (as much as possible)
PHP 5.3.6 on Apache on Linux
Additional comments
Added the "secure" and "httpOnly" flags to the cookie "delete" requests as well, as "Cookies must be deleted with the same parameters as they were set with" according to https://php.net/manual/en/function.setcookie.php.
jissues-bot
- | Status | Pending | ⇒ | New |
| Labels |
Added:
?
|
||
| Status | New | ⇒ | Pending |
| Category | ⇒ | Libraries |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-01-01 13:01:48 |
| Closed_By | ⇒ | brianteeman |
Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4153.