diff options
| author | Dries Buytaert <dries@buytaert.net> | 2008-08-18 18:56:01 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2008-08-18 18:56:01 +0000 |
| commit | 06379c5470a02f4086d2903b74975879a468d938 (patch) | |
| tree | 86a3fe581cb0f6be3774631792d13846b373c356 | |
| parent | ba6aa9f515996b676940f5a8a8d10c1249c1bda0 (diff) | |
| download | brdo-06379c5470a02f4086d2903b74975879a468d938.tar.gz brdo-06379c5470a02f4086d2903b74975879a468d938.tar.bz2 | |
- Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
| -rw-r--r-- | includes/bootstrap.inc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 8fb6aff37..c516c6813 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -373,6 +373,15 @@ function conf_init() { $cookie_domain = check_plain($_SERVER['HTTP_HOST']); } } + // To prevent session cookies from being hijacked, a user can configure the + // SSL version of their website to only transfer session cookies via SSL by + // using PHP's session.cookie_secure setting. The browser will then use two + // separate session cookies for the HTTPS and HTTP versions of the site. So we + // must use different session identifiers for HTTPS and HTTP to prevent a + // cookie collision. + if (ini_get('session.cookie_secure')) { + $session_name .= 'SSL'; + } // Strip leading periods, www., and port numbers from cookie domain. $cookie_domain = ltrim($cookie_domain, '.'); if (strpos($cookie_domain, 'www.') === 0) { |