Neil Schemenauer <[email protected]> wrote: > Is there any reason for having both SESSION_COOKIE_SECURE and > SESSION_COOKIE_HTTPONLY? Maybe SESSION_COOKIE_SECURE should > imply both.
Well, leave the choice to the user? I guess you could find situations where one is desirable but not the other: if you don't rely on SSL for security, but on a VPN for instance, then session_cookie_secure is undesirable, but session_cookie_httponly can remain interesting. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz [email protected] _______________________________________________ Quixote-users mailing list [email protected] http://mail.mems-exchange.org/mailman/listinfo/quixote-users
