Need to protect DW cookies from "sidejacking" attack. At the same time, the impact of XSS can be mitigated.
Whilst it can be argued that any site using SSL should set up their php.ini file "sensibly" there are times when this is not possible (eg hosted environments). Suggested setting in php.ini is:
session.cookie_secure = 1
session.cookie_httponly = 1
This can also be set in .htaccess but only for Apache.
It can be set in DW code by calling session_set_cookie_params() and setting the flags just before session_start().
In addition, DW's use of non-session cookies needs to be reviewed to ensure that these are also protected appropriately (which needs to be set on an "as used" basis).
Note that it should be possible to always use "secure"; "secure" doesn't mean "SSL only"; rfc2965 says: 'When it sends a "secure" cookie back to a server, the user agent SHOULD use no less than the same level of security as was used when it received the cookie from the server.'
http://www.faqs.org/rfcs/rfc2965.html Thus "secure" cookies should work correctly on pure http sites.
"httponly" could possibly impact on any plugin that expects JavaScript to be able to access DW cookies. That is likely to be extremely rare. If a plugin needs access to cookies it sets itself then it can set its own cookies to be non-httpoonly.