From 562eeee790a34363c31711383f4c26176a68d8b3 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Mon, 6 Dec 2010 00:28:27 +0000
Subject: [PATCH] ENHANCEMENT Session::start() forces PHPSESSID cookies to be
 httpOnly (no access by JS) to improve clientside security

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114567 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 core/Session.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/Session.php b/core/Session.php
index 112518411..f7ee5f3d3 100644
--- a/core/Session.php
+++ b/core/Session.php
@@ -414,9 +414,9 @@ class Session {
 
 		if(!session_id() && !headers_sent()) {
 			if($domain) {
-				session_set_cookie_params(self::$timeout, $path, $domain);
+				session_set_cookie_params(self::$timeout, $path, $domain, false /* secure */, true /* httponly */);
 			} else {
-				session_set_cookie_params(self::$timeout, $path);
+				session_set_cookie_params(self::$timeout, $path, null, false /* secure */, true /* httponly */);
 			}
 
 			// @ is to supress win32 warnings/notices when session wasn't cleaned up properly