[BUGFIX] Streamline cookie options / remove cookieHttpOnly
The TYPO3_CONF_VARS[SYS][cookieHttpOnly] option is removed as all cookies set by the TYPO3 Core are HttpOnly by default in order to avoid client side script access. This option was previously turned on by default but configurable as old browser did not support this option all the time (see https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly for more details). The be_lastLoginProvider and workspaces cookies now set the httpOnly flag properly as well. Resolves: #78835 Releases: master Change-Id: I12538508a6f97888d7ad0b2f5f028bcde2844d6d Reviewed-on: https://review.typo3.org/50808 Reviewed-by:Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
TYPO3com <no-reply@typo3.com> Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
Showing
- typo3/sysext/backend/Classes/Controller/LoginController.php 3 additions, 1 deletiontypo3/sysext/backend/Classes/Controller/LoginController.php
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 1 addition, 3 deletions...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 0 additions, 1 deletiontypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.php 0 additions, 1 deletion...xt/core/Configuration/DefaultConfigurationDescription.php
- typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php 3 additions, 1 deletion...all/Classes/Service/SilentConfigurationUpgradeService.php
- typo3/sysext/workspaces/Classes/Hook/PreviewHook.php 1 addition, 1 deletiontypo3/sysext/workspaces/Classes/Hook/PreviewHook.php
Loading
Please register or sign in to comment