TYPO3 Core

Background:
Worst case in terms of XSS is the capture of an admin's cookie. If so, a malicious user has gained admin rights for TYPO3.
Proper use of $TYPO3_CONF_VARS['BE']['lockIP'] reduces the possibility of XSS but even when it's set to 4, it's no solution if all users are behind one proxy.

The feature request ...

setcookie()'s 6th parameter - secure:
This makes sure, that an cookie is only submitted though SSL connection. The parameter could be used for BE-User who are using SSL only. The implementation could be done without adding additional configuration parameters - Method start() has a check for FE/BE. Then you have to additionally check that $TYPO3_CONF_VARS['BE']['lockSSL'] is either set to 1 or 2. Done.

setcookie()'s 7th parameter - httponly (introduced in PHP 5.2):
This makes sure that a cookie is accessible through HTTP only and p.ex. not through JavaScript. Modern browsers do support the HttpOnly flag - Opera 9.5, Internet Explorer 7, and Firefox 3. The flag is highly valuable against XSS. Cookie-access though JS's document.cookie won't work anymore. Implementation would require an additional boolean parameter like $TYPO3_CONF_VARS['SYS']['cookieHttpOnly']. The flag could be used for both FE and BE users.

setcookie-manual: http://php.net/manual/en/function.setcookie.php
(issue imported from #M9440)