change the "secure" and "httpOnly" attributes of the session "cookie-agreed" and "cookie-agreed-version"

I'll assume this report concerns 8.x-1.x.

Does anyone have an idea about this issue? i use drupal 10 and the module eu cookie compliance

Emircan Erkul → made their first commit to this issue’s fork.

My PR includes secure attribute options for both. We can not make httpOnly true because eu_cookie_compliance uses those cookies via JS.

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (https://owasp.org/www-community/HttpOnly)

alex bukach → made their first commit to this issue’s fork.

Provided patch for 8.x-1.24 based on MR!142.

The patch does not apply to 8.x-1.25. Needs reroll.

prem suthar → made their first commit to this issue’s fork.

hi @prem suthar, I updated the module to 1.25, and tried to apply the patch with your new commit. The patch can't apply.

this won't apply to the security release either - 1.26.0

Created MR!160 that re-rolls patch #11 against HEAD (still based on the idea of MR!142). Here's the respective patch.

Thanks Alex for the re-roll, i've made some corrections since the setCookies wasn't working.

I removed the version option, as this seems deprecated in modern times, feel free to correct me.
When set in the configuration, the Secure flag will now be set in the cookie.

I'm just wondering if someone happens to untick the config option for Secure, should the cookie consent pop up again?

Also - haven't done anything about httpOnly, should we be checking headers? i'm not sure if we can.

i'll leave this in needs review, if the community could test, and i'll look at merging this for the next release.

Thanks!