From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 16 Apr 2008 23:06:51 +0000 (+0000)
Subject: Apply $wgCookieHttpOnly setting to the session cookie as well
X-Git-Tag: 1.31.0-rc.0~48251
X-Git-Url: http://git.cyclocoop.org/%22.%24image2.%22?a=commitdiff_plain;h=31e80b39fb20ad522ace6ebabe772336b8889cc9;p=lhc%2Fweb%2Fwiklou.git

Apply $wgCookieHttpOnly setting to the session cookie as well
---

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 61e9e629dc..4dcc087950 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -2224,7 +2224,7 @@ function wfIsLocalURL( $url ) {
  * Initialise php session
  */
 function wfSetupSession() {
-	global $wgSessionsInMemcached, $wgCookiePath, $wgCookieDomain, $wgCookieSecure;
+	global $wgSessionsInMemcached, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly;
 	if( $wgSessionsInMemcached ) {
 		require_once( 'MemcachedSessions.php' );
 	} elseif( 'files' != ini_get( 'session.save_handler' ) ) {
@@ -2232,7 +2232,13 @@ function wfSetupSession() {
 		# application, it will end up failing. Try to recover.
 		ini_set ( 'session.save_handler', 'files' );
 	}
-	session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure);
+	$httpOnlySafe = version_compare("5.2", PHP_VERSION, "<");
+	if( $httpOnlySafe && $wgCookieHttpOnly ) {
+		session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure, $wgCookieHttpOnly );
+	} else {
+		// PHP 5.1 throws warnings if you pass the HttpOnly parameter for 5.2.
+		session_set_cookie_params( 0, $wgCookiePath, $wgCookieDomain, $wgCookieSecure );
+	}
 	session_cache_limiter( 'private, must-revalidate' );
 	wfSuppressWarnings();
 	session_start();