prepended to the start of this array.
* $wgQueryPages has been removed. Query Pages should be added to by using the
wgQueryPages hook.
+* $wgHttpOnlyBlacklist has been removed.
=== New features in 1.23 ===
* ResourceLoader can utilize the Web Storage API to cache modules client-side.
*/
$wgCookieHttpOnly = true;
-/**
- * If the requesting browser matches a regex in this blacklist, we won't
- * send it cookies with HttpOnly mode, even if $wgCookieHttpOnly is on.
- */
-$wgHttpOnlyBlacklist = array(
- // Internet Explorer for Mac; sometimes the cookies work, sometimes
- // they don't. It's difficult to predict, as combinations of path
- // and expiration options affect its parsing.
- '/^Mozilla\/4\.0 \(compatible; MSIE \d+\.\d+; Mac_PowerPC\)/',
-);
-
/**
* A list of cookies that vary the cache (for use by extensions)
*/
return str_pad( $result, $pad, '0', STR_PAD_LEFT );
}
-/**
- * @return bool
- */
-function wfHttpOnlySafe() {
- global $wgHttpOnlyBlacklist;
-
- if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
- foreach ( $wgHttpOnlyBlacklist as $regex ) {
- if ( preg_match( $regex, $_SERVER['HTTP_USER_AGENT'] ) ) {
- return false;
- }
- }
- }
-
- return true;
-}
-
/**
* Check if there is sufficient entropy in php's built-in session generation
* @return bool true = there is sufficient entropy
# hasn't already been set to the desired value (that causes errors)
ini_set( 'session.save_handler', $wgSessionHandler );
}
- $httpOnlySafe = wfHttpOnlySafe() && $wgCookieHttpOnly;
wfDebugLog( 'cookie',
'session_set_cookie_params: "' . implode( '", "',
array(
$wgCookiePath,
$wgCookieDomain,
$wgCookieSecure,
- $httpOnlySafe ) ) . '"' );
- session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $httpOnlySafe );
+ $wgCookieHttpOnly ) ) . '"' );
+ session_set_cookie_params(
+ 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
session_cache_limiter( 'private, must-revalidate' );
if ( $sessionId ) {
session_id( $sessionId );
$expire = time() + $wgCookieExpiration;
}
- // Don't mark the cookie as httpOnly if the requesting user-agent is
- // known to have trouble with httpOnly cookies.
- if ( !wfHttpOnlySafe() ) {
- $options['httpOnly'] = false;
- }
-
$func = $options['raw'] ? 'setrawcookie' : 'setcookie';
if ( wfRunHooks( 'WebResponseSetCookie', array( &$name, &$value, &$expire, $options ) ) ) {