itsgoingd
commented
3 years ago Yeah, I'm not yet sure which option to go with, but something should be done about this.
Another good idea would be to remove authentication tokens from headers. Will probably do a bigger overhaul of the password removal code in 6.0.
Probably not a big deal because why would we be putting passwords in cookies...
In PhpDataSource you are running $_COOKIE through DataSource::removePasswords(). But in PhpDataSource::getRequestHeaders() nothing is done about the cookie header which contains the same data.
Maybe the cookie header could just be dropped? Data is already collected elsewhere.
Alternatively parse the header into an array, remove passwords and put it back together as a string.
Or maybe just forget about it because why would we store our password in a cookie?