Public area => Bug reports => The Pub => Archived fixes => Topic started by: CerealGuy on September 4th, 2015, 10:54 PM
Wedge already wants to do that (setting httponly) but it misses some true arguments on setcookie().
Httponly basically forbids the browser/js to access document.cookies which prevents bad exploitation of xss (otherwise the cookie could get stolen).
Wasn't aware of this.
Looks like all other setcookie calls were setting that flag already, there were only two missing, which you caught.
Please review my changes! (I would have integrated yours directly and not bothered, but you didn't make a PR so I made more changes :P)
This was fixed: