summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Schneider2008-09-24 15:01:17 +0000
committerChristian Schneider2008-09-24 15:01:17 +0000
commit27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b (patch)
tree34f58f77be92a74540440d6af262c16d7cbb21d3
parent4e20871f1a5d8ad690e742dabb6957763983a6c0 (diff)
downloaditools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.tar.gz
itools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.tar.bz2
itools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.zip
Mark uid/session cookies as httponly (not readable by JS document.cookie)
-rw-r--r--it_session.class4
-rw-r--r--it_user.class2
2 files changed, 3 insertions, 3 deletions
diff --git a/it_session.class b/it_session.class
index a2300e5..ed99842 100644
--- a/it_session.class
+++ b/it_session.class
@@ -167,7 +167,7 @@ function set_valid($valid = true, $login_identifier_required = false, $login_ide
$result = !$valid; /* Setting to invalid succeeded or setting to valid failed */
}
- @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+ @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true);
$_COOKIE[$this->cookiename] = $this->cookie;
return $result;
@@ -192,7 +192,7 @@ function create_login_identifier()
if (!$this->cookie)
{
$this->cookie = md5(uniqid(rand())); /* random garbage */
- @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+ @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true);
}
$login_identifier = $this->_mkcookie("", $this->cookie);
diff --git a/it_user.class b/it_user.class
index 8792ab4..4b0ebc6 100644
--- a/it_user.class
+++ b/it_user.class
@@ -208,7 +208,7 @@ function _set_uid($uid)
if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid))
{
- @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain);
+ @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true);
$_COOKIE[$this->p['uidcookiename']] = $uid;
}
}