From 48261b641db8404a7b91408e283a866909a32fec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= <gabor@hojtsy.hu>
Date: Mon, 8 Dec 2008 14:42:30 +0000
Subject: [PATCH] #280934 follow up by pwolanin: harden the cookie handling in
 sess_regenerate() by setting our session cookie to be an HTTP only cookie,
 thus reducing the risk of session stealing via XSS

---
 includes/session.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/includes/session.inc b/includes/session.inc
index 725c45d850ec..bf730e5acdf6 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -97,6 +97,10 @@ function sess_regenerate() {
     setcookie(session_name(), '', time() - 42000, '/');
   }
 
+  extract(session_get_cookie_params());
+  // Set "httponly" to TRUE to reduce the risk of session stealing via XSS.
+  // This has no effect for PHP < 5.2.0.
+  session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE);
   session_regenerate_id();
 
   db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);
-- 
GitLab