[SECURITY] Make InstallTool session cookie HTTP-only 87/59087/2
authorOliver Hader <oliver@typo3.org>
Tue, 11 Dec 2018 09:55:23 +0000 (10:55 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:55:25 +0000 (10:55 +0100)
Resolves: #86955
Releases: master, 8.7, 7.6, 6.2
Security-Commit: d554a3f8d40df0e9019b89f7bb4f8fec85e15331
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: I6d74cc2bc2ba876986887564bb48eb5d5d8ae3ac
Reviewed-on: https://review.typo3.org/59087
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/install/Classes/Service/SessionService.php

index c43bc66..9edb5b0 100644 (file)
@@ -72,6 +72,7 @@ class SessionService implements \TYPO3\CMS\Core\SingletonInterface
         session_set_save_handler([$this, 'open'], [$this, 'close'], [$this, 'read'], [$this, 'write'], [$this, 'destroy'], [$this, 'gc']);
         session_save_path($sessionSavePath);
         session_name($this->cookieName);
+        ini_set('session.cookie_httponly', true);
         ini_set('session.cookie_path', GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
         // Always call the garbage collector to clean up stale session files
         ini_set('session.gc_probability', 100);