Merge pull request #362 from DanielRuf/1.8-httponly

Set HttpOnly flag for cookies

qa-include/ajax/notice.php

@@ -32,7 +32,7 @@
 
 	else {
 		if ($noticeid=='visitor')
-			setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN);
+			setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
 
 		else {
 			$userid=qa_get_logged_in_userid();
@@ -50,4 +50,4 @@
 
 /*
 	Omit PHP closing tag to help avoid accidental output
-*/
\ No newline at end of file
+*/

qa-include/app/cookies.php

@@ -54,7 +54,7 @@
 		else
 			$cookieid=qa_db_cookie_create(qa_remote_ip_address());
 
-		setcookie('qa_id', $cookieid, time()+86400*365, '/', QA_COOKIE_DOMAIN);
+		setcookie('qa_id', $cookieid, time()+86400*365, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
 		$_COOKIE['qa_id']=$cookieid;
 
 		return $cookieid;
@@ -75,4 +75,4 @@
 
 /*
 	Omit PHP closing tag to help avoid accidental output
-*/
\ No newline at end of file
+*/

qa-include/app/users.php

@@ -185,7 +185,7 @@
 			if (qa_to_override(__FUNCTION__)) { $args=func_get_args(); return qa_call_override(__FUNCTION__, $args); }
 
 			// if $remember is true, store in browser for a month, otherwise store only until browser is closed
-			setcookie('qa_session', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN);
+			setcookie('qa_session', $handle.'/'.$sessioncode.'/'.($remember ? 1 : 0), $remember ? (time()+2592000) : 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
 		}
 
 
@@ -196,7 +196,7 @@
 		{
 			if (qa_to_override(__FUNCTION__)) { $args=func_get_args(); return qa_call_override(__FUNCTION__, $args); }
 
-			setcookie('qa_session', false, 0, '/', QA_COOKIE_DOMAIN);
+			setcookie('qa_session', false, 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
 		}
 
 
@@ -1060,7 +1060,7 @@ in a category for which they have elevated privileges).
 				$_COOKIE['qa_key']=qa_random_alphanum(QA_FORM_KEY_LENGTH);
 			}
 
-			setcookie('qa_key', $_COOKIE['qa_key'], time()+2*QA_FORM_EXPIRY_SECS, '/', QA_COOKIE_DOMAIN); // extend on every page request
+			setcookie('qa_key', $_COOKIE['qa_key'], time()+2*QA_FORM_EXPIRY_SECS, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true); // extend on every page request
 		}
 	}
 

qa-include/qa-page.php

@@ -167,7 +167,7 @@
 
 						else {
 							if ($noticeid=='visitor')
-								setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN);
+								setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true);
 
 							elseif ($noticeid=='welcome') {
 								require_once QA_INCLUDE_DIR.'db/users.php';
@@ -217,7 +217,7 @@
 
 		if ($firstlower == 'admin') {
 			$_COOKIE['qa_admin_last'] = $requestlower; // for navigation tab now...
-			setcookie('qa_admin_last', $_COOKIE['qa_admin_last'], 0, '/', QA_COOKIE_DOMAIN); // ...and in future
+			setcookie('qa_admin_last', $_COOKIE['qa_admin_last'], 0, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true); // ...and in future
 		}
 
 		if (isset($qa_content))
@@ -756,7 +756,7 @@
 				$qa_content['notices'][]=qa_notice_form('visitor', qa_opt('notice_visitor'));
 
 		} else {
-			setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN); // don't show first-time notice if a user has logged in
+			setcookie('qa_noticed', 1, time()+86400*3650, '/', QA_COOKIE_DOMAIN, (bool)ini_get('session.cookie_secure'), true); // don't show first-time notice if a user has logged in
 
 			if (qa_opt('show_notice_welcome') && (qa_get_logged_in_flags() & QA_USER_FLAGS_WELCOME_NOTICE) )
 				if ( ($requestlower!='confirm') && ($requestlower!='account') ) // let people finish registering in peace
@@ -836,4 +836,4 @@
 
 /*
 	Omit PHP closing tag to help avoid accidental output
-*/
\ No newline at end of file
+*/