Open terrymun opened 6 years ago
Right now calls to setcookie() actually uses PHP default (i.e. false) for HTTPonly and secure flags. The secure flag should always be true, and the httponly flag should be true if we know that it is not accessed by JS.
setcookie()
false
true
Right now calls to
setcookie()
actually uses PHP default (i.e.false
) for HTTPonly and secure flags. The secure flag should always betrue
, and the httponly flag should betrue
if we know that it is not accessed by JS.