-
Improvement
-
Resolution: Fixed
-
Minor
-
2.8.5, Future Dev
-
MOODLE_28_STABLE
-
MOODLE_403_STABLE
-
master_
MDL-50160 -
Easy
-
-
1
-
Team Hedgehog 2023 Review 2, Team Hedgehog 2023 Sprint 3.1
Issue location:
Site Administration / Security / HTTP security / Only http cookies
Current description reads:
Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks
As PHP is now at 8.2 and it has another 6 years since this issue originally had traffic. It is time to revisit this issue and move it forward.
While a lot of the AICC/SCORM content should have aged out by now, we'll still go down a deprecation path for this. Also there has been questions raised around LTI, based on research LTI does not inherently require client-side access to cookies, and its core functionality (like launching a tool, returning grades, etc.) should work independently of whether cookies are set to HTTP-only. However, there may be specific implementations that require this. Having the option to disable HTTP cookies will help handle this and by defaulting HTTP only to on should help discover any of these scenarios.
Based on the discussion in this ticket and more internal team discussion, the behavior should be:
- Default HTTP only cookies to on in new installs
- Remove the UI setting
- Add a config.php override to turn on. Documented in config-dist.php
- Deprecate and then remove the functionality in line with policy
- For existing sites that are upgraded, the current setting should persist (when the UI is removed), the behaviour can be set in config.php
- is duplicated by
-
MDL-55490 cookiehttponly should default to on
- Closed