From d24e98f217570ae7fa87d7a78e92cf74727d2787 Mon Sep 17 00:00:00 2001
From: oricgn <oliver@riesen.org>
Date: Thu, 14 Apr 2016 13:31:12 +0200
Subject: [PATCH] Set cookies with httponly

---
 include/api/user.php | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/include/api/user.php b/include/api/user.php
index b3c18c792..b40bd6cff 100644
--- a/include/api/user.php
+++ b/include/api/user.php
@@ -2207,7 +2207,10 @@ function phorum_api_user_session_create($type, $reset = 0)
                 PHORUM_SESSION_LONG_TERM,
                 $user['user_id'].':'.$sessid_lt,
                 $timeout,
-                $PHORUM['session_path'], $PHORUM['session_domain']
+                $PHORUM['session_path'],
+                $PHORUM['session_domain'],
+                false,
+                true // httponly
             );
         } else {
             // Add the session id to the URL building GET variables.
@@ -2227,7 +2230,10 @@ function phorum_api_user_session_create($type, $reset = 0)
                 PHORUM_SESSION_SHORT_TERM,
                 $user['user_id'].':'.$user['sessid_st'],
                 $user['sessid_st_timeout'],
-                $PHORUM['session_path'], $PHORUM['session_domain']
+                $PHORUM['session_path'],
+                $PHORUM['session_domain'],
+                false,
+                true // httponly
             );
         }
     }
@@ -2238,7 +2244,10 @@ function phorum_api_user_session_create($type, $reset = 0)
             PHORUM_SESSION_ADMIN,
             $user['user_id'].':'.$sessid_admin,
             0, // admin sessions are destroyed as soon as the browser closes
-            $PHORUM['session_path'], $PHORUM['session_domain']
+            $PHORUM['session_path'],
+            $PHORUM['session_domain'],
+            false,
+            true // httponly
         );
     }