From 96dc47665ef84588874200aec2a5a61e4b93e19f Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Mon, 24 Nov 2008 06:12:46 +0000
Subject: - Patch #280934 by pwolanin, swentel, et al: harden session
 regeneration.  It took a while, but it comes with tests and extra features
 now.

---
 includes/session.inc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'includes/session.inc')

diff --git a/includes/session.inc b/includes/session.inc
index c9113982f..aae3f29ff 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -163,6 +163,9 @@ function _sess_write($key, $value) {
  */
 function drupal_session_regenerate() {
   $old_session_id = session_id();
+  extract(session_get_cookie_params());
+  // Set "httponly" to TRUE to reduce the risk of session stealing via XSS.
+  session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE);
   session_regenerate_id();
   db_update('sessions')
     ->fields(array(
-- 
cgit v1.2.3