Merge branch '6217-security-set-cookie-settings-to-true-for-option-ht…

…tponly' into '1.3-fixes'
fusiondirectory · Jul 5, 2022 · fadebb7 · fadebb7
1 parent a316b52
commit fadebb7
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/include/class_session.inc b/include/class_session.inc
@@ -151,6 +151,13 @@ class session {
        !! The garbage collector is a cron job on debian systems, the cronjob will fetch the timeout from
        the php.ini, so if you use debian, you must hardcode session.gc_maxlifetime in your php.ini */
     ini_set("session.gc_maxlifetime", 24 * 60 * 60);
+
+    /*
+     *  Set HttpOnly in order to enhance security by disabling execution of javascript on cookies,
+     *  allowing possible XSS attacks
+     */
+    ini_set("session.cookie_httponly", "1");
+
     if ($id !== NULL) {
       session_id($id);
     }