Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:25242
Return-Path: <scottmacvicar@ntlworld.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90402 invoked by uid 1010); 7 Aug 2006 23:44:59 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 90387 invoked from network); 7 Aug 2006 23:44:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Aug 2006 23:44:59 -0000
X-PHP-List-Original-Sender: scottmacvicar@ntlworld.com
X-Host-Fingerprint: 216.154.195.36 mailgate.cesmail.net Linux 2.4/2.6
Received: from ([216.154.195.36:42685] helo=mailgate.cesmail.net)
	by pb1.pair.com (ecelerity 2.1.1.3 r(11751M)) with ESMTP
	id 0A/10-27091-870D7D44 for <internals@lists.php.net>; Mon, 07 Aug 2006 19:44:57 -0400
Received: (qmail 6963 invoked from network); 7 Aug 2006 23:44:53 -0000
Received: from unknown (HELO gamma.cesmail.net) (192.168.1.20)
  by mailgate.cesmail.net with SMTP; 7 Aug 2006 23:44:53 -0000
Received: (qmail 6280 invoked by uid 99); 7 Aug 2006 23:44:53 -0000
Received: from macvicar.demon.co.uk (macvicar.demon.co.uk [80.177.111.173])
	by webmail.spamcop.net (Horde) with HTTP for
	<scottm@spamcop.net@cesmail.net>; Tue, 08 Aug 2006 00:44:53 +0100
Message-ID: <20060808004453.6ihrwcs44oc8gg80@webmail.spamcop.net>
Date: Tue, 08 Aug 2006 00:44:53 +0100
To: steve <iamstever@gmail.com>
Cc: internals@lists.php.net
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) 4.0-cvs
Subject: Re: [PHP-DEV] HTTP-Only Patch
From: scottmacvicar@ntlworld.com (Scott M)

Quoting steve <iamstever@gmail.com>:

> Just a note -- having implemented and deployed this (in userspace, not
> in php itself) -- setting the http_only flag kills the cookie in IE on
> the Mac. One would hope no one is using such a thing anymore, but I
> thought I'd point it out, and I'm definately in favor of the change.
> Maybe it will get Mozilla to finally implement it (and deal with a
> coookie file format change -- ooh, biggie).
>

IE for Mac isn't part of our test suite here so I never gave it a check, frankly
its no longer supported by Microsoft or Apple and has since been superseded by
Safari. Suitable documentation can be added explaining the problem with IE for
Mac though I suspect it has already disappeared through its lack of support for
"Web 2.0".

Our test results showed that Opera, Webkit, Gecko and IE based browsers had no
problem with the cookie format sent, those which didn't support HttpOnly simply
ignored it (Gecko).

The Mozilla feature request is at
https://bugzilla.mozilla.org/show_bug.cgi?id=178993 A patch was submitted after
sponsorship from Live Journal but since the change wasn't backwards compatible
with older versions of the browsers they refused to implement it.

Cheers,
Scott