A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.


will the ajax method still work with this patch?

Version:6.x-2.0-beta1» 6.x-2.x-dev
new1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?