[Rt-commit] rt branch, 3.8/httponly-cookies, updated. rt-3.8.10-14-g06ace55

Alex Vandiver alexmv at bestpractical.com
Thu Jul 7 14:25:28 EDT 2011 

The branch, 3.8/httponly-cookies has been updated
       via  06ace555d8c426c3fba833576b766aa886fcdb00 (commit)
      from  a740e98751ce11d3a5d80d3cd21cf2b83efacae4 (commit)

Summary of changes:
 etc/RT_Config.pm.in     |   13 +++++++++++++
 lib/RT/Interface/Web.pm |    2 +-
 2 files changed, 14 insertions(+), 1 deletions(-)

- Log -----------------------------------------------------------------
commit 06ace555d8c426c3fba833576b766aa886fcdb00
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Jul 7 14:24:46 2011 -0400

    Make httponly cookies a configuration option, defaulting to on

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index ea64a2e..1df9c66 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1235,6 +1235,19 @@ via SSL encrypted HTTP connections.
 
 Set($WebSecureCookies, 0);
 
+=item C<$WebHttpOnlyCookies>
+
+Default RT's session cookie to not being directly accessible to
+javascript.  The content is still sent during regular and AJAX requests,
+and other cookies are unaffected, but the session-id is less
+programmatically accessible to javascript.  Turning this off should only
+be necessary in situations with odd client-side authentication
+requirements.
+
+=cut
+
+Set($WebHttpOnlyCookies, 1);
+
 =item C<$WebFlushDbCacheEveryRequest>
 
 By default, RT clears its database cache after every page view.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 2337bab..b3f593a 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -661,7 +661,7 @@ sub SendSessionCookie {
         -value    => $HTML::Mason::Commands::session{_session_id},
         -path     => RT->Config->Get('WebPath'),
         -secure   => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-        -httponly => 1,
+        -httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
     );
 
     $HTML::Mason::Commands::r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;

-----------------------------------------------------------------------

More information about the Rt-commit mailing list