tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-07-02 01:19:29 +02:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114567 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-12-06 00:28:27 +00:00
parent ead9dce351
commit 562eeee790
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/Session.php
View File

@ -414,9 +414,9 @@ class Session {
if(!session_id() && !headers_sent()) {
if($domain) {
session_set_cookie_params(self::$timeout, $path, $domain);
session_set_cookie_params(self::$timeout, $path, $domain, false /* secure */, true /* httponly */);
} else {
session_set_cookie_params(self::$timeout, $path);
session_set_cookie_params(self::$timeout, $path, null, false /* secure */, true /* httponly */);
}
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly