Skip to content

Fixed HttpOnly flag when using Cookie::fromString() #23426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 6, 2017
Merged

Fixed HttpOnly flag when using Cookie::fromString() #23426

merged 1 commit into from
Jul 6, 2017

Conversation

Toflar
Copy link
Contributor

@Toflar Toflar commented Jul 6, 2017

Q A
Branch? 3.3
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets #23424
License MIT
Doc PR -

Using Cookie::fromString() should not set the HttpOnly flag to true by default. This is a factory method and it should create an instance of Cookie that represents exactly what the string contains.

sstok
sstok approved these changes Jul 6, 2017
View reviewed changes
Copy link
Contributor

@sstok sstok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Status: Reviewed

@greg0ire
Copy link
Contributor

greg0ire commented Jul 6, 2017

Suggested commit message:

Preserve HttpOnly value when deserializing a header

The specification states that the cookie should be considered http only if and
only if the flag is present.
See https://www.owasp.org/index.php/HttpOnly

@Toflar
Preserve HttpOnly value when deserializing a header
73187d0 
The specification states that the cookie should be considered http only if and
only if the flag is present.
See https://www.owasp.org/index.php/HttpOnly
@Toflar Toflar force-pushed the fix-httponly-flag branch from 6c8878c to 73187d0 Compare July 6, 2017 09:04
@Toflar
Copy link
Contributor Author

Toflar commented Jul 6, 2017

Updated commit message accordingly :)

@nicolas-grekas nicolas-grekas added this to the 3.3 milestone Jul 6, 2017
@fabpot
Copy link
Member

fabpot commented Jul 6, 2017

Thank you @Toflar.

@fabpot fabpot merged commit 73187d0 into symfony:3.3 Jul 6, 2017
fabpot added a commit that referenced this pull request Jul 6, 2017
@fabpot
bug #23426 Fixed HttpOnly flag when using Cookie::fromString() (Toflar)
71c6f99 
This PR was merged into the 3.3 branch.

Discussion
----------

Fixed HttpOnly flag when using Cookie::fromString()

| Q             | A
| ------------- | ---
| Branch?       | 3.3
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #23424
| License       | MIT
| Doc PR        | -

Using `Cookie::fromString()` should not set the `HttpOnly` flag to `true` by default. This is a factory method and it should create an instance of `Cookie` that represents exactly what the string contains.

Commits
-------

73187d0 Preserve HttpOnly value when deserializing a header
@Toflar Toflar deleted the fix-httponly-flag branch July 6, 2017 09:25
@fabpot fabpot mentioned this pull request Jul 17, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@greg0ire greg0ire greg0ire approved these changes

@sstok sstok sstok approved these changes

@kalimerre kalimerre kalimerre approved these changes

Assignees
No one assigned
Labels
Bug Status: Needs Review
Projects
None yet
Milestone
3.3
Development

Successfully merging this pull request may close these issues.
7 participants
@Toflar @greg0ire @fabpot @nicolas-grekas @sstok @kalimerre @carsonbot