A minor advisory was issued on our last update suggesting HTTPOnly should be set (or at least configurable) the the RSESS and USESS cookies.

Comments

will the ajax method still work with this patch?

Version:6.x-2.0-beta1» 6.x-2.x-dev
StatusFileSize
new1.74 KB

Here's a version that won't set httponly if ajax fallback is enabled. Should be safe now?