[SECURITY] Make InstallTool session cookie HTTP-only 03/59103/2
authorAndreas Wolf <dev@a-w.io>
Tue, 11 Dec 2018 09:57:18 +0000 (10:57 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:57:20 +0000 (10:57 +0100)
Resolves: #86955
Releases: master, 8.7, 7.6
Security-Commit: d251175e031aaa9943f93f5e5297f5490b99e513
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: Ia50cac61ee2d649e98cba2102162c1360487bb20
Reviewed-on: https://review.typo3.org/59103
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/install/Classes/Service/SessionService.php

index b6f828a..96b1894 100644 (file)
@@ -76,6 +76,7 @@ class SessionService implements SingletonInterface
         session_set_save_handler([$this, 'open'], [$this, 'close'], [$this, 'read'], [$this, 'write'], [$this, 'destroy'], [$this, 'gc']);
         session_save_path($sessionSavePath);
         session_name($this->cookieName);
+        ini_set('session.cookie_httponly', true);
         ini_set('session.cookie_path', (string)GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
         // Always call the garbage collector to clean up stale session files
         ini_set('session.gc_probability', (string)100);