I was looking at the Security settings and noticed this in the description of the setting "only http cookies":
Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.
Obviously that comment is quite old, and now that Moodle requires PHP > 5.2 and all modern browsers support it I wonder if it would make sense to turn it on by default?
What I'm not sure about is the line "it may not be fully compatible with current code". Does anyone know of any code that uses JS to access the session cookie intentionally?