- Patch #280934 by pwolanin, swentel, et al: harden session regeneration. It took a while, but it comes with tests and extra features now.

author: Dries Buytaert <dries@buytaert.net> 2008-11-24 06:12:46 +0000
committer: Dries Buytaert <dries@buytaert.net> 2008-11-24 06:12:46 +0000
commit: 96dc47665ef84588874200aec2a5a61e4b93e19f (patch)
tree: 55a44d3fd694e53e4eb4b79798eb30210fa89d6a /includes/session.inc
parent: bd9554952c02b4ea70103a87d3b7ef51af29f9d4 (diff)
download: brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.gz
brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/includes/session.inc b/includes/session.inc
index c9113982f..aae3f29ff 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -163,6 +163,9 @@ function _sess_write($key, $value) {
  */
 function drupal_session_regenerate() {
   $old_session_id = session_id();
+  extract(session_get_cookie_params());
+  // Set "httponly" to TRUE to reduce the risk of session stealing via XSS.
+  session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE);
   session_regenerate_id();
   db_update('sessions')
     ->fields(array(
author	Dries Buytaert <dries@buytaert.net>	2008-11-24 06:12:46 +0000
committer	Dries Buytaert <dries@buytaert.net>	2008-11-24 06:12:46 +0000
commit	96dc47665ef84588874200aec2a5a61e4b93e19f (patch)
tree	55a44d3fd694e53e4eb4b79798eb30210fa89d6a /includes/session.inc
parent	bd9554952c02b4ea70103a87d3b7ef51af29f9d4 (diff)
download	brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.gz brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.bz2