Subject: | add support for the httpOnly cookie flag |
Hi. Love the module. Came across this link today: http://www.webappsec.org/articles/013105.html
Which says:
-------
When a cookie is set and tagged with httpOnly, JavaScript is then unable to read the cookie value. Meaning, when a Cross-Site Scripting attack occurs, the hacker gets an empty value from the cookie and stealing it becomes a pointless exercise, thereby making a session hi-jacking attack via Cross-Site Scripting much harder.
-------
Even though support for this flag isn't universal (yet), it would be nice to have an option to append the flag. In the meantime I guess I can override the cookie_string() method.