From c8e4b8d366c6eaddacf9dd1ec3e31a3acb0c65ce Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Wed, 23 Apr 2008 20:27:31 +0000 Subject: [PATCH] Enable $wgCookieHttpOnly by default on PHP 5.2 or later. Version checks are still duplicated areound stcookie so that manually enabling it at least won't *break cookies entirely* on an old PHP version. --- includes/DefaultSettings.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 57b5bf9a0c..de89f28501 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1494,10 +1494,13 @@ $wgCookieSecure = ($wgProto == 'https'); $wgDisableCookieCheck = false; /** - * Set authentication cookies to httpOnly to prevent stealing by JS, in brow- - * sers that support this feature. + * Set authentication cookies to HttpOnly to prevent access by JavaScript, + * in browsers that support this feature. This can mitigates some classes of + * XSS attack. + * + * Only supported on PHP 5.2 or higher. */ -$wgCookieHttpOnly = false; +$wgCookieHttpOnly = version_compare("5.2", PHP_VERSION, "<"); /** A list of cookies that vary the cache (for use by extensions) */ $wgCacheVaryCookies = array(); -- 2.20.1