From 27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Wed, 24 Sep 2008 15:01:17 +0000 Subject: Mark uid/session cookies as httponly (not readable by JS document.cookie) --- it_session.class | 4 ++-- it_user.class | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/it_session.class b/it_session.class index a2300e5..ed99842 100644 --- a/it_session.class +++ b/it_session.class @@ -167,7 +167,7 @@ function set_valid($valid = true, $login_identifier_required = false, $login_ide $result = !$valid; /* Setting to invalid succeeded or setting to valid failed */ } - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl); + @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); $_COOKIE[$this->cookiename] = $this->cookie; return $result; @@ -192,7 +192,7 @@ function create_login_identifier() if (!$this->cookie) { $this->cookie = md5(uniqid(rand())); /* random garbage */ - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl); + @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); } $login_identifier = $this->_mkcookie("", $this->cookie); diff --git a/it_user.class b/it_user.class index 8792ab4..4b0ebc6 100644 --- a/it_user.class +++ b/it_user.class @@ -208,7 +208,7 @@ function _set_uid($uid) if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid)) { - @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain); + @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true); $_COOKIE[$this->p['uidcookiename']] = $uid; } } -- cgit v1.2.3