Using a tool which is able to display the "httpOnly" flag of a received cookie (an intercepting proxy or the Firebug Firefox add-on (I assume; the built-in Firefox console can't)), log-in and log-out of a site's back-end.
Expected result
Both, the session cookie is "set" and "delete" requests received as part of the server response have the "httpOnly" flag set.
Actual result
The "httpOnly" flag is not set.
System information (as much as possible)
PHP 5.3.6 on Apache on Linux
Additional comments
Added the "secure" and "httpOnly" flags to the cookie "delete" requests as well, as "Cookies must be deleted with the same parameters as they were set with" according to https://php.net/manual/en/function.setcookie.php.
Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.
Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4153.