[BUGFIX] Streamline cookie options / remove cookieHttpOnly 08/50808/18
authorBenni Mack <benni@typo3.org>
Wed, 1 Feb 2017 05:51:17 +0000 (06:51 +0100)
committerBenni Mack <benni@typo3.org>
Wed, 1 Mar 2017 05:34:49 +0000 (06:34 +0100)
commit3b4d288cc863cb614d8e19ed0ed85dd9f0814d94
tree6d9fda2bf259dd081ca1c18bfd461fdc457d349f
parent958f6cdc884863a20e47e607f4ac0478255d0fe4
[BUGFIX] Streamline cookie options / remove cookieHttpOnly

The TYPO3_CONF_VARS[SYS][cookieHttpOnly] option is removed
as all cookies set by the TYPO3 Core are HttpOnly by default
in order to avoid client side script access.

This option was previously turned on by default but configurable
as old browser did not support this option all the time (see
https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly
for more details).

The be_lastLoginProvider and workspaces cookies now
set the httpOnly flag properly as well.

Resolves: #78835
Releases: master
Change-Id: I12538508a6f97888d7ad0b2f5f028bcde2844d6d
Reviewed-on: https://review.typo3.org/50808
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/backend/Classes/Controller/LoginController.php
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/DefaultConfigurationDescription.php
typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
typo3/sysext/workspaces/Classes/Hook/PreviewHook.php