[Koha-bugs] [Bug 9102] [SECURITY] We should set httponly on our session cookie
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Nov 26 19:14:40 CET 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102
--- Comment #7 from Chris Cormack <chris at bigballofwax.co.nz> ---
Not sure about that Jonathan, since those ones are only used by the API, not
rendered in a page. Possibly users of the API might want to interact with the
cookie with javascript? More likely, since they wont be interacting with it
with a browser that understands the httponly flag it will be ignored.
We could add the flag just in case a user is tricked into going to a page from
the api, that has been compromised and has xss in it.
Maybe send a follow up, It can't really hurt to have it in it I think.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list