Opened 4 years ago

Closed 4 years ago

#17766 closed Cleanup/optimization (fixed)

Clarify impact of HttpOnly flag for JS access to session cookie

Reported by: ptone Owned by: nobody
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This change impacts anyone accessing the session data from Javascript, for example, when relaying the session ID into a querystring in the case of flash uploading tools. I'm not opening a debate on whether this is proper to do or not, just that it will help people understand possible impacts of this change when using other people's code that may do this (as happened to me).

Change History (2)

comment:1 Changed 4 years ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Ready for checkin

For reference, the original ticket that produced the change is #16847.

The location of this paragraph has moved meanwhile, but the patch is still applicable.

comment:2 Changed 4 years ago by PaulM

  • Resolution set to fixed
  • Status changed from new to closed

In [17618]:

Fixed #17766. Clarified HttpOnly flag on session cookie.

Thanks ptone for the patch!

Note: See TracTickets for help on using tickets.
Back to Top