On Thu, 15 Sep 2011 14:18:19 +0100, Phil Weir wrote: > Hi, > > At the moment it is possible to set the cookie domain from the config > file. Would the devs consider also adding a similar option for the > session cookie path?
I'm not an rc developer, but here's my few cents: Even though setting the path of a cookie doesn't really prevent any XSS [1], I think all cookie related values should be configurable: - cookie name (see my diff I've sent couple days ago) - cookie path - cookie domain (already done) - secure flag is already done, I believe (by checking if SSL is in use) - httponly is set hard-coded and should not be changeable, IMO Cheers, Stephan [1] http://code.google.com/p/doctype/wiki/ArticleCompartmentalizingApplications _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/8f4f07cd
