Skip to:

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6961 closed enhancement (fixed)

Support HttpOnly and Secure cookies

Reported by: djpaul's profile DJPaul Owned by: djpaul's profile djpaul
Milestone: 2.6 Priority: normal
Severity: normal Version:
Component: Core Keywords:



We have the following cookies:

  • bp-message
  • bp-message-type
  • bp_new_group_id
  • bp_completed_create_steps
  • bp_messages_send_to
  • bp_messages_subject
  • bp_messages_content

Change History (4)

#1 @DJPaul
8 years ago

...and more in the theme JS.

#2 @djpaul
8 years ago

  • Owner set to djpaul
  • Resolution set to fixed
  • Status changed from new to closed

In 10654:

Support secure cookies.

If the site is served over HTTPS, mark our cookies as secure.

Fixes #6961

Props DJPaul, w3dzign

#3 @DJPaul
8 years ago

I've added Secure cookie support, but not HttpOnly because some (maybe all) are accessed with Javascript -- certainly the theme ones, and the group wizard cookies are good contenders for someone accessing with Javascript. I haven't time to audit all the cookies in that level of detail at the moment, so maybe we can do that in the future, perhaps when we rework the template pack. ;)

#4 @DJPaul
8 years ago

  • Component changed from Component - Any/All to Core
Note: See TracTickets for help on using tickets.