From fadebb79b932a0260bdb8723eb23694a3ae62366 Mon Sep 17 00:00:00 2001
From: bmortier <benoit.mortier@fusiondirectory.org>
Date: Tue, 5 Jul 2022 15:59:08 +0000
Subject: [PATCH] Merge branch
 '6217-security-set-cookie-settings-to-true-for-option-httponly' into
 '1.3-fixes'

---
 include/class_session.inc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/class_session.inc b/include/class_session.inc
index cfae33679..0b678b1e2 100644
--- a/include/class_session.inc
+++ b/include/class_session.inc
@@ -151,6 +151,13 @@ class session {
        !! The garbage collector is a cron job on debian systems, the cronjob will fetch the timeout from
        the php.ini, so if you use debian, you must hardcode session.gc_maxlifetime in your php.ini */
     ini_set("session.gc_maxlifetime", 24 * 60 * 60);
+
+    /*
+     *  Set HttpOnly in order to enhance security by disabling execution of javascript on cookies,
+     *  allowing possible XSS attacks
+     */
+    ini_set("session.cookie_httponly", "1");
+
     if ($id !== NULL) {
       session_id($id);
     }
-- 
GitLab