MantisBT: master 58a67eef

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master 2009-07-11 01:11 master 40840f41
Affected Issues  0010709: Use HttpOnly cookie flag to protect cookies from client-side Javascript manipulation/theft
 0010712: Secure cookie flag is not used for all cookies when browsing via HTTPS
Changeset

Teach MantisBT to bake tough cookies

The Secure cookie flag is now set for all cookies when the user is
browsing via a TLS protected connection. Originally this flag was only
set for the PHP session ID cookie.

MantisBT now supports the HttpOnly cookie flag and will use it when
possible (PHP 5.2.0 is required). This flag tells the client browser to
deny Javascript access to the cookie (both reading and writing). As
such, this flag is very useful in providing another layer of protection
against XSS attacks.

The gpc_set_cookie function has an additional parameter to disable the
HttpOnly flag on a per-cookie basis. This parameter should be set to
false when sending a cookie to the client that client-side Javascript
needs to read or write.

Fixes 0010709,0010712
mod - core/session_api.php Diff File
mod - core/gpc_api.php Diff File