A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ryanellis’s picture

ryanellis’s picture

mikeytown2’s picture

will the ajax method still work with this patch?

neilnz’s picture

Version: 6.x-2.0-beta1 » 6.x-2.x-dev
FileSize
1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?

dstuart’s picture

Issue summary: View changes
Status: Active » Closed (outdated)

No longer supported