From 32bb81359b5626af47c670e96cdc38480331e8cd Mon Sep 17 00:00:00 2001
From: Andrew Garrett <werdna@users.mediawiki.org>
Date: Tue, 15 Apr 2008 00:06:32 +0000
Subject: [PATCH] Allow setting httponly on auth cookies.

---
 includes/DefaultSettings.php | 1 +
 includes/User.php            | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 9dde253fee..b0aef12516 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1496,6 +1496,7 @@ $wgCookieDomain = '';
 $wgCookiePath = '/';
 $wgCookieSecure = ($wgProto == 'https');
 $wgDisableCookieCheck = false;
+$wgCookieHttpOnly = true;
 
 /** A list of cookies that vary the cache (for use by extensions) */
 $wgCacheVaryCookies = array();
diff --git a/includes/User.php b/includes/User.php
index b3a839e865..686a8f8506 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -1968,20 +1968,20 @@ class User {
 	}
 
 	function setCookies() {
-		global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookiePrefix;
+		global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookiePrefix, $wgCookieHttpOnly;;
 		$this->load();
 		if ( 0 == $this->mId ) return;
 		$exp = time() + $wgCookieExpiration;
 
 		$_SESSION['wsUserID'] = $this->mId;
-		setcookie( $wgCookiePrefix.'UserID', $this->mId, $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure );
+		setcookie( $wgCookiePrefix.'UserID', $this->mId, $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
 
 		$_SESSION['wsUserName'] = $this->getName();
-		setcookie( $wgCookiePrefix.'UserName', $this->getName(), $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure );
+		setcookie( $wgCookiePrefix.'UserName', $this->getName(), $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
 
 		$_SESSION['wsToken'] = $this->mToken;
 		if ( 1 == $this->getOption( 'rememberpassword' ) ) {
-			setcookie( $wgCookiePrefix.'Token', $this->mToken, $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure );
+			setcookie( $wgCookiePrefix.'Token', $this->mToken, $exp, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
 		} else {
 			setcookie( $wgCookiePrefix.'Token', '', time() - 3600 );
 		}
-- 
2.20.1