From: Brion Vibber Date: Wed, 23 Apr 2008 20:27:31 +0000 (+0000) Subject: Enable $wgCookieHttpOnly by default on PHP 5.2 or later. X-Git-Tag: 1.31.0-rc.0~48113 X-Git-Url: http://git.cyclocoop.org/%22.%28%24lien.?a=commitdiff_plain;h=c8e4b8d366c6eaddacf9dd1ec3e31a3acb0c65ce;p=lhc%2Fweb%2Fwiklou.git Enable $wgCookieHttpOnly by default on PHP 5.2 or later. Version checks are still duplicated areound stcookie so that manually enabling it at least won't *break cookies entirely* on an old PHP version. --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 57b5bf9a0c..de89f28501 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1494,10 +1494,13 @@ $wgCookieSecure = ($wgProto == 'https'); $wgDisableCookieCheck = false; /** - * Set authentication cookies to httpOnly to prevent stealing by JS, in brow- - * sers that support this feature. + * Set authentication cookies to HttpOnly to prevent access by JavaScript, + * in browsers that support this feature. This can mitigates some classes of + * XSS attack. + * + * Only supported on PHP 5.2 or higher. */ -$wgCookieHttpOnly = false; +$wgCookieHttpOnly = version_compare("5.2", PHP_VERSION, "<"); /** A list of cookies that vary the cache (for use by extensions) */ $wgCacheVaryCookies = array();