diff options
| author | Christian Schneider | 2008-09-24 15:01:17 +0000 |
|---|---|---|
| committer | Christian Schneider | 2008-09-24 15:01:17 +0000 |
| commit | 27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b (patch) | |
| tree | 34f58f77be92a74540440d6af262c16d7cbb21d3 | |
| parent | 4e20871f1a5d8ad690e742dabb6957763983a6c0 (diff) | |
| download | itools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.tar.gz itools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.tar.bz2 itools-27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b.zip | |
Mark uid/session cookies as httponly (not readable by JS document.cookie)
| -rw-r--r-- | it_session.class | 4 | ||||
| -rw-r--r-- | it_user.class | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/it_session.class b/it_session.class index a2300e5..ed99842 100644 --- a/it_session.class +++ b/it_session.class @@ -167,7 +167,7 @@ function set_valid($valid = true, $login_identifier_required = false, $login_ide $result = !$valid; /* Setting to invalid succeeded or setting to valid failed */ } - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl); + @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); $_COOKIE[$this->cookiename] = $this->cookie; return $result; @@ -192,7 +192,7 @@ function create_login_identifier() if (!$this->cookie) { $this->cookie = md5(uniqid(rand())); /* random garbage */ - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl); + @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); } $login_identifier = $this->_mkcookie("", $this->cookie); diff --git a/it_user.class b/it_user.class index 8792ab4..4b0ebc6 100644 --- a/it_user.class +++ b/it_user.class @@ -208,7 +208,7 @@ function _set_uid($uid) if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid)) { - @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain); + @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true); $_COOKIE[$this->p['uidcookiename']] = $uid; } } |