[SECURITY] Make InstallTool session cookie HTTP-only 95/59095/2
authorOliver Hader <oliver@typo3.org>
Tue, 11 Dec 2018 09:56:24 +0000 (10:56 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:56:26 +0000 (10:56 +0100)
Resolves: #86955
Releases: master, 8.7, 7.6, 6.2
Security-Commit: c7326315b4c80d8563419be040c8a2435ed925ea
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: I669fdd0de055554511c39de6c0f3f1efd19874b9
Reviewed-on: https://review.typo3.org/59095
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/install/Classes/Service/SessionService.php

index de387b2..d8f2d5c 100644 (file)
@@ -72,6 +72,7 @@ class SessionService implements \TYPO3\CMS\Core\SingletonInterface
         session_set_save_handler([$this, 'open'], [$this, 'close'], [$this, 'read'], [$this, 'write'], [$this, 'destroy'], [$this, 'gc']);
         session_save_path($sessionSavePath);
         session_name($this->cookieName);
+        ini_set('session.cookie_httponly', true);
         ini_set('session.cookie_path', GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
         // Always call the garbage collector to clean up stale session files
         ini_set('session.gc_probability', 100);