Suggest setting session.httponly to 1 to avoid easy scripted XSS attacks

14 years ago · 461618a783
parent fe02751626
commit 461618a783
1 changed files with 5 additions and 0 deletions
--- a/main/install/install.lib.php
+++ b/main/install/install.lib.php
@ -1140,6 +1140,11 @@ function display_requirements($installType, $badUpdatePath, $updatePath = '', $u
                <td class="requirements-recommended">OFF</td>
                <td class="requirements-value">'.check_php_setting('short_open_tag','OFF').'</td>
            </tr>
+            <tr>
+                <td class="requirements-item"><a href="http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly">Cookie HTTP Only</a></td>
+                <td class="requirements-recommended">1</td>
+                <td class="requirements-value">'.check_php_setting('session.cookie_httponly','1').'</td>
+            </tr>
            <tr>
                <td class="requirements-item"><a href="http://php.net/manual/ini.core.php#ini.upload-max-filesize">Maximum upload file size</a></td>
                <td class="requirements-recommended">10M-100M</td>