diff options
author | Dries Buytaert <dries@buytaert.net> | 2008-11-24 06:12:46 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2008-11-24 06:12:46 +0000 |
commit | 96dc47665ef84588874200aec2a5a61e4b93e19f (patch) | |
tree | 55a44d3fd694e53e4eb4b79798eb30210fa89d6a /includes/session.inc | |
parent | bd9554952c02b4ea70103a87d3b7ef51af29f9d4 (diff) | |
download | brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.gz brdo-96dc47665ef84588874200aec2a5a61e4b93e19f.tar.bz2 |
- Patch #280934 by pwolanin, swentel, et al: harden session regeneration. It took a while, but it comes with tests and extra features now.
Diffstat (limited to 'includes/session.inc')
-rw-r--r-- | includes/session.inc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/includes/session.inc b/includes/session.inc index c9113982f..aae3f29ff 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -163,6 +163,9 @@ function _sess_write($key, $value) { */ function drupal_session_regenerate() { $old_session_id = session_id(); + extract(session_get_cookie_params()); + // Set "httponly" to TRUE to reduce the risk of session stealing via XSS. + session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE); session_regenerate_id(); db_update('sessions') ->fields(array( |