Enable cookieHttpOnly by default
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.
(issue imported from #M17124)
[FEATURE] Enable cookieHttpOnly by default
Enable cookieHttpOnly by default, which prevents
Reviewed-by: Ingo Schmitt
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller
#2 Updated by Helmut Hummel about 9 years ago
pulpuload worked and I really don't know why extDirect should need it.
I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)
But I agree this needs further investigation, so postponed for 4.6
#8 Updated by Ernesto Baschny over 6 years ago
- Category set to Install Tool
- Status changed from New to Accepted
- Assignee set to Christian Kuhn
- Target version set to 6.2.0
- Complexity set to easy
We discussed this in the release team today and agreed that this should be the new default starting with 6.2.