Wedge

CerealGuy · « on September 4th, 2015, 10:54 PM »

Wedge already wants to do that (setting httponly) but it misses some true arguments on setcookie().
Httponly basically forbids the browser/js to access document.cookies which prevents bad exploitation of xss (otherwise the cookie could get stolen).
https://www.owasp.org/index.php/HttpOnly

https://github.com/C3realGuy/wedge/commit/71a066380d1301a82c95cc5144039edceca98c9e

Nao · « Reply #1, on September 13th, 2015, 03:20 PM »

Wasn't aware of this.
Looks like all other setcookie calls were setting that flag already, there were only two missing, which you caught.

Please review my changes! (I would have integrated yours directly and not bothered, but you didn't make a PR so I made more changes :P)

CerealGuy · « Reply #2, on January 9th, 2016, 04:39 PM »

This was fixed:
https://github.com/Wedge/wedge/commit/0cd910721ca98c591928f284d5bd785c59142434

Wedge

Home

Login

Register

CerealGuy

[Cookies] httponly not correctly set

Nao

[Cookies] Re: httponly not correctly set

CerealGuy

[Cookies] Re: httponly not correctly set