Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSS
Worst case in terms of XSS is the capture of an admin's cookie. If so, a malicious user has gained admin rights for TYPO3.
Proper use of $TYPO3_CONF_VARS['BE']['lockIP'] reduces the possibility of XSS but even when it's set to 4, it's no solution if all users are behind one proxy.
The feature request ...
setcookie()'s 6th parameter - secure:
This makes sure, that an cookie is only submitted though SSL connection. The parameter could be used for BE-User who are using SSL only. The implementation could be done without adding additional configuration parameters - Method start() has a check for FE/BE. Then you have to additionally check that $TYPO3_CONF_VARS['BE']['lockSSL'] is either set to 1 or 2. Done.
setcookie()'s 7th parameter - httponly (introduced in PHP 5.2):
(issue imported from #M9440)