Hi,
At the moment it is possible to set the cookie domain from the config file. Would the devs consider also adding a similar option for the session cookie path?
Thanks,
Phil _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
On Thu, 15 Sep 2011 14:18:19 +0100, Phil Weir wrote:
Hi,
At the moment it is possible to set the cookie domain from the config file. Would the devs consider also adding a similar option for the session cookie path?
I'm not an rc developer, but here's my few cents: Even though setting the path of a cookie doesn't really prevent any XSS [1], I think all cookie related values should be configurable:
- cookie name (see my diff I've sent couple days ago)
- cookie path
- cookie domain (already done)
- secure flag is already done, I believe (by checking if SSL is in use)
- httponly is set hard-coded and should not be changeable, IMO
Cheers, Stephan
[1] http://code.google.com/p/doctype/wiki/ArticleCompartmentalizingApplications _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
- cookie name (see my diff I've sent couple days ago)
- cookie path
- cookie domain (already done)
- secure flag is already done, I believe (by checking if SSL is in use)
- httponly is set hard-coded and should not be changeable, IMO
I have attached a patch to add a session_path config option.
Also I have attached a very basic patch to pass the domain, path and secure flag to the JS so the same information can be used when setting cookies on the client side. Like the cookie that stores the info for the splitter.
Phil
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/Kz/XhNVmfIH/js_cookies.patch http://detached.gigo.com/rc/Kz/XhNVmfIH/session_path.patch Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/ BT/aba52c80
-
Phil Weir -
Stephan A. Rickauer