Merge pull request #830 from gturri/dev

Increase security by setting the httpOnly flag to session cookie

Merge pull request #830 from gturri/dev
Increase security by setting the httpOnly flag to session cookie
3be51d3e · Scott · GitHub · 1af307eb · da1891b1 · 3be51d3e
Unverified Commit 3be51d3e authored Jul 31, 2020 by Scott Committed by GitHub Jul 31, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 0 deletions

users.php qa-include/app/users.php +1 -0

No files found.
--- a/qa-include/app/users.php
+++ b/qa-include/app/users.php
@@ -157,6 +157,7 @@ if (QA_FINAL_EXTERNAL_USERS) {
 		@ini_set('session.gc_maxlifetime', 86400); // worth a try, but won't help in shared hosting environment
 		@ini_set('session.use_trans_sid', false); // sessions need cookies to work, since we redirect after login
 		@ini_set('session.cookie_domain', QA_COOKIE_DOMAIN);
+		@ini_set('session.cookie_httponly', true);

 		if (!isset($_SESSION))
 			session_start();