[TYPO3-v4] Enable $TYPO3_CONF_VARS['SYS']['cookieHttpOnly'] by default in 4.7
Steffen Müller
typo3 at t3node.com
Fri Jan 13 22:45:50 CET 2012
Hi.
httponly cookie help to avoid stealing cookies using JavaScript XSS attacks.
It's now > 2 years and 3 releases (4.3) since an option for httpOnly
cookies was introduced to TYPO3 core. The option was turned off by
default to respect 3rd party extensions which make use of JavaScript
driven session handling, whre the cookie needs to be fetched using
document.cookie etc.
1) Could anyone please report these extensions which are incompatible
with httpOnly?
2) I plead for turning this option on by default for 4.7 release,
because it's a security improvement.
What's your opinion?
--
cheers,
Steffen
TYPO3 Blog: http://www.t3node.com/
Twitter: @t3node - http://twitter.com/t3node
More information about the TYPO3-project-v4
mailing list