View Issue Details

IDProjectCategoryView StatusLast Update
0029027mantisbtotherpublic2023-10-31 16:32
Reporteraaribaud Assigned Tocommunity  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.25.2 
Target Version2.26.0Fixed in Version2.26.0 
Summary0029027: function gpc_set_cookie() ignores $p_httponly argument
Description

Function gpc_set_cookie() provides an argument called $p_httponly which should determine whether the cookie being set has the HttpOnly flag.

However, inside gps_set_cookie(), the setcookie call uses the constant value true for the HttpOnly flag, instead of using the value of $p_httponly.

This causes all cookies to be HttpOnly, thus preventing use cases where Javascript would need to change the cookie value.

Steps To Reproduce

Request a page which calls gpc_set_cookie() with value false for argument $p_httponly.
Try and modify the cookie from Javascript.
Observe that in subsequent HTTP requests, the modification is ignored.

TagsNo tags attached.

Activities

Related Changesets

MantisBT: master 669dfa6c

2021-08-15 23:34

aaribaud

Committer: dregad


Details Diff
Fix gpc_set_cookie ignoring HttpOnly parameter

Fixes 0029027
Affected Issues
0029027
mod - core/gpc_api.php Diff File