From b57d6ba2af6570de6bb1d9ddfe23173fdc2763de Mon Sep 17 00:00:00 2001
From: Thibault Dockx <thibault.dockx@fusiondirectory.org>
Date: Tue, 5 Jul 2022 13:45:10 +0100
Subject: [PATCH] :sparkles: Feat(Cookies) - Set Session Cookie to HttpOnly

Cookies options HttpOnly is now sets to TRUE, resolving a
possible XSS vulnerability.
---
 include/class_session.inc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/class_session.inc b/include/class_session.inc
index 36f727135..f87466c96 100644
--- a/include/class_session.inc
+++ b/include/class_session.inc
@@ -151,6 +151,13 @@ class session
        !! The garbage collector is a cron job on debian systems, the cronjob will fetch the timeout from
        the php.ini, so if you use debian, you must hardcode session.gc_maxlifetime in your php.ini */
     ini_set("session.gc_maxlifetime", 24 * 60 * 60);
+
+    /*
+     *  Set HttpOnly in order to enhance security by disabling execution of javascript on cookies,
+     *  allowing possible XSS attacks
+     */
+    ini_set("session.cookie_httponly", "1");
+
     if ($id !== NULL) {
       session_id($id);
     }
-- 
GitLab