[#7061] - Fix for #7044: use secure cookie on HTTPS servers
- Closed
- 3 Jun 2015
- Medium
- Build: staging
- Easy Test
- # 7061
- Diff
- smz:LanguageFilterHttpsCookie
- Success The Travis CI build passed Details
User tests: Successful: Unsuccessful:
Description
This should fix #7044 by using a secure cookie when the server is an HTTPS server.
Test instructions
- verify that there is no regression on normal servers by using a multilingual site, switchnig to a non-default language, exiting the browser, re-visiting the test site with the naked domain and observing that you are redirected to the non-default language you had previously selected.
- observe how the language cookie is delivered on HTTPS servers
zero-24
- | Labels |
Added:
?
|
||
| Category | ⇒ | Multilanguage |
| Status | New | ⇒ | Pending |
| Easy | No | ⇒ | Yes |
Code review looks fine, thanks! 
In HTTPS the cookie is delivered in secure mode!
thanks!
I think, would be good idea to use "httponly" cookies always ... not only for ssl
this will protect cookies from access from a js scripts and make joomla more secure
Protecting Your Cookies: HttpOnly
ignore me, it for different issue
yes, httponly is a good security practice too, so javascript can't read the cookies.
Is more used in session cookies to prevent XSS attacks but is always a good practice.
Personally I don't think this is necessary at all: in the worst case a minor data leak could happen ("someone" could know about your language preferences, and that's it). On the other hand I can envision a scenario where a legit JS could be willing to access the language cookie for good reasons, so for me it is... 
yes, agree
| Labels |
Added:
?
|
||
Merged into staging. Thanks!
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-06-03 18:52:54 |
| Closed_By | ⇒ | Bakual |
| Labels |
Removed:
?
|
||
Of the two testing instructions I personally could test the first one only as I have no HTTPS server at hand.
@andrepereiradasilva, can you please perform the second test?