From 27ee3cdc63e6bc8d214e246ede8d2eaf4ee5347b Mon Sep 17 00:00:00 2001
From: Christian Schneider
Date: Wed, 24 Sep 2008 15:01:17 +0000
Subject: Mark uid/session cookies as httponly (not readable by JS
 document.cookie)

---
 it_session.class | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'it_session.class')

diff --git a/it_session.class b/it_session.class
index a2300e5..ed99842 100644
--- a/it_session.class
+++ b/it_session.class
@@ -167,7 +167,7 @@ function set_valid($valid = true, $login_identifier_required = false, $login_ide
 		$result = !$valid;	/* Setting to invalid succeeded or setting to valid failed */
 	}
 
-	@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+	@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true);
 	$_COOKIE[$this->cookiename] = $this->cookie;
 
 	return $result;
@@ -192,7 +192,7 @@ function create_login_identifier()
 	if (!$this->cookie)
 	{
 		$this->cookie = md5(uniqid(rand()));	/* random garbage */
-		@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl);
+		@setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true);
 	}
 
 	$login_identifier = $this->_mkcookie("", $this->cookie);
-- 
cgit v1.2.3