durusmail: quixote-users: Patch for secure and httponly cookies
Patch for secure and httponly cookies
2009-04-11
Emmanuel Dreyfus
2009-04-12
Neil Schemenauer
2009-04-12
Emmanuel Dreyfus
Patch for secure and httponly cookies
Emmanuel Dreyfus
2009-04-12
Neil Schemenauer  wrote:

> Is there any reason for having both SESSION_COOKIE_SECURE and
> SESSION_COOKIE_HTTPONLY? Maybe SESSION_COOKIE_SECURE should
> imply both.

Well, leave the choice to the user? I guess you could find situations
where one is desirable but not the other: if you don't rely on SSL for
security, but on a VPN  for instance, then session_cookie_secure is
undesirable, but session_cookie_httponly can remain interesting.

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
reply