Merge branch 'master_MDL-50160' of https://github.com/mattporritt/moodle

admin/settings/security.php

@@ -164,7 +164,6 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
     $temp = new admin_settingpage('httpsecurity', new lang_string('httpsecurity', 'admin'));
 
     $temp->add(new admin_setting_configcheckbox('cookiesecure', new lang_string('cookiesecure', 'admin'), new lang_string('configcookiesecure', 'admin'), 1));
-    $temp->add(new admin_setting_configcheckbox('cookiehttponly', new lang_string('cookiehttponly', 'admin'), new lang_string('configcookiehttponly', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('allowframembedding', new lang_string('allowframembedding', 'admin'), new lang_string('allowframembedding_help', 'admin'), 0));
 
     // Settings elements used by the \core\files\curl_security_helper class.

admin/upgrade.txt

@@ -1,5 +1,15 @@
 This files describes API changes in /admin/*.
 
+=== 4.3 ===
+
+* Removed admin setting cookiehttponly Moodle now defaults to HTTP only cookies for new installs only.
+  Existing sites will not be affected by this change. The setting can be changed in config.php if required.
+  To enable for upgraded sites set: $CFG->cookiehttponly = true;
+  To disable for new sites set: $CFG->cookiehttponly = false;
+
+  Existing cookies will not be affected by this change, until they are expired or deleted.
+
+
 === 4.2 ===
 
 * A new admin setting coursecreationguide allows admins to configure the URL of the Quickstart guide for admins and managers.

config-dist.php

@@ -1213,6 +1213,20 @@ $CFG->admin = 'admin';
 //      $CFG->showservicesandsupportcontent = false;
 //
 //=========================================================================
+// 20. NON HTTP ONLY COOKIES
+//=========================================================================
+//
+//  Cookies in Moodle now default to HTTP only cookies. This means that they cannot be accessed by JavaScript.
+//  Upgraded sites will keep the behaviour they had before the upgrade. New sites will have HTTP only cookies enabled.
+//  To enable HTTP only cookies set the following:
+//
+//      $CFG->cookiehttponly = true;
+//
+//  To disable HTTP only cookies set the following:
+//
+//      $CFG->cookiehttponly = false;
+//
+//=========================================================================
 // ALL DONE!  To continue installation, visit your main page with a browser
 //=========================================================================
 

lang/en/admin.php

@@ -197,7 +197,6 @@ $string['configautologinguests'] = 'Should visitors be logged in as guests autom
 $string['configbloglevel'] = 'This setting allows you to restrict the level to which user blogs can be viewed on this site.  Note that they specify the maximum context of the VIEWER not the poster or the types of blog posts.  Blogs can also be disabled completely if you don\'t want them at all.';
 $string['configcalendarcustomexport'] = 'Enable custom date range export of calendar';
 $string['configcalendarexportsalt'] = 'This random text is used for improving of security of authentication tokens used for exporting of calendars. Please note that all current tokens are invalidated if you change this hash salt.';
-$string['configcookiehttponly'] = 'Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.';
 $string['configcookiesecure'] = 'If server is accepting only https connections it is recommended to enable sending of secure cookies. If enabled please make sure that web server is not accepting http:// or set up permanent redirection to https:// address and ideally send HSTS headers. When <em>wwwroot</em> address does not start with https:// this setting is ignored.';
 $string['configcountry'] = 'If you set a country here, then this country will be selected by default on new user accounts.  To force users to choose a country, just leave this unset.';
 $string['configcoursegraceperiodafter'] = 'Classify past courses as in progress for these many days after the course end date.';
@@ -426,7 +425,6 @@ $string['contextlocking'] = 'Context freezing';
 $string['contextlocking_desc'] = 'This setting enables read-only access to be set for selected categories, courses, activities or blocks.';
 $string['contextlockappliestoadmin'] = 'Context freezing applies to administrators';
 $string['contextlockappliestoadmin_desc'] = 'If disabled, administrators remain with write access to any frozen contexts.';
-$string['cookiehttponly'] = 'Only http cookies';
 $string['cookiesecure'] = 'Secure cookies only';
 $string['contenttypeuninstalling'] = 'There are {$a->count} contents supported by {$a->type}. They will be deleted. Are you sure you want to proceed?';
 $string['country'] = 'Default country';

lib/classes/session/manager.php

@@ -321,7 +321,7 @@ class manager {
         $cookiesecure = is_moodle_cookie_secure();
 
         if (!isset($CFG->cookiehttponly)) {
-            $CFG->cookiehttponly = 0;
+            $CFG->cookiehttponly = 1;
         }
 
         // Set sessioncookie variable if it isn't already.