diff options
| -rw-r--r-- | includes/bootstrap.inc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 8fb6aff37..c516c6813 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -373,6 +373,15 @@ function conf_init() { $cookie_domain = check_plain($_SERVER['HTTP_HOST']); } } + // To prevent session cookies from being hijacked, a user can configure the + // SSL version of their website to only transfer session cookies via SSL by + // using PHP's session.cookie_secure setting. The browser will then use two + // separate session cookies for the HTTPS and HTTP versions of the site. So we + // must use different session identifiers for HTTPS and HTTP to prevent a + // cookie collision. + if (ini_get('session.cookie_secure')) { + $session_name .= 'SSL'; + } // Strip leading periods, www., and port numbers from cookie domain. $cookie_domain = ltrim($cookie_domain, '.'); if (strpos($cookie_domain, 'www.') === 0) { |