0029027: function gpc_set_cookie() ignores $p_httponly argument

ID	Project	Category	View Status	Date Submitted	Last Update
0029027	mantisbt	other	public	2021-08-24 19:27	2025-09-26 04:21

Reporter	aaribaud	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.25.2
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0029027: function gpc_set_cookie() ignores $p_httponly argument
Description	Function gpc_set_cookie() provides an argument called $p_httponly which should determine whether the cookie being set has the HttpOnly flag. However, inside gps_set_cookie(), the setcookie call uses the constant value `true` for the HttpOnly flag, instead of using the value of $p_httponly. This causes all cookies to be HttpOnly, thus preventing use cases where Javascript would need to change the cookie value.
Steps To Reproduce	Request a page which calls gpc_set_cookie() with value `false` for argument $p_httponly. Try and modify the cookie from Javascript. Observe that in subsequent HTTP requests, the modification is ignored.
Tags	No tags attached.

MantisBT: master 669dfa6c 2021-08-15 23:34 aaribaud Committer: dregad Details Diff	Fix gpc_set_cookie ignoring HttpOnly parameter Fixes 0029027		Affected Issues 0029027
	mod - core/gpc_api.php		Diff File

dregad 2021-08-25 02:49 developer ~0065787	PR https://github.com/mantisbt/mantisbt/pull/1776