- Issue created by @max-kuzomko
- Status changed to Postponed: needs info
about 2 months ago 11:55am 3 May 2024 - πΊπΈUnited States cilefen
Drupal 9 is end-of-life and has no security support. Update to a supported version.
- Status changed to Active
about 2 months ago 12:38pm 3 May 2024 - πΊπ¦Ukraine max-kuzomko
@cilefen, the same issue in Drupal 10.1:
core/modules/big_pipe/src/Controller/BigPipeController.php
$response->headers->setCookie(new Cookie(BigPipeStrategy::NOJS_COOKIE, TRUE, 0, '/', NULL, FALSE, FALSE, FALSE, NULL));
It sets HttpOnly to FALSE.
- π―π΄Jordan Mohammad-Fayoumi Amman
I've encountered this issue and realized that we need to secure the cookies by ensuring our website is configured to use HTTPS, which involves having an SSL/TLS certificate installed. Additionally, the cookies should have the Secure attribute.
There are multiple ways to add these security flags, either by editing the application code (bigpipe code) or updating the web server configuration files, such as the Apache configuration file (httpd.conf or apache2.conf).
Apache configuration file (httpd.conf or apache2.conf).
<IfModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>