tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT Session::start() forces PHPSESSID cookies to be httpOnly (no access by JS) to improve clientside security (from r114567)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114571 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-12-06 00:36:46 +00:00 committed by Sam Minnee
parent 6fa8f8341c
commit ac4c207846
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/Session.php
View File

@ -414,9 +414,9 @@ class Session {
if(!session_id() && !headers_sent()) { if(!session_id() && !headers_sent()) {
if($domain) { if($domain) {
session_set_cookie_params(self::$timeout, $path, $domain); session_set_cookie_params(self::$timeout, $path, $domain, false /* secure */, true /* httponly */);
} else { } else {
session_set_cookie_params(self::$timeout, $path); session_set_cookie_params(self::$timeout, $path, null, false /* secure */, true /* httponly */);
} }
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly // @ is to supress win32 warnings/notices when session wasn't cleaned up properly