diff options
| author | robocoder <anthon.pang@gmail.com> | 2011-01-16 04:22:04 +0300 |
|---|---|---|
| committer | robocoder <anthon.pang@gmail.com> | 2011-01-16 04:22:04 +0300 |
| commit | 058305ea2de5bfcd5a8a19b141990dd2f5486733 (patch) | |
| tree | beb7be81e886b499d55e8c730001749f0b08f61a /core/Session.php | |
| parent | 8d1430e0b50c48c06a5a5f586769110e36a35886 (diff) | |
refs r3711 - more best practice
git-svn-id: http://dev.piwik.org/svn/trunk@3750 59fd770c-687e-43c8-a1e3-f5a4ff64c105
Diffstat (limited to 'core/Session.php')
| -rw-r--r-- | core/Session.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/Session.php b/core/Session.php index 76ad17b803..5d8c4f84db 100644 --- a/core/Session.php +++ b/core/Session.php @@ -30,6 +30,15 @@ class Piwik_Session extends Zend_Session // prevent attacks involving session ids passed in URLs @ini_set('session.use_only_cookies', '1'); + // advise browser that session cookie should only be sent over secure connection + if(Piwik::isHttps()) + { + @ini_set('session.cookie_secure', '1'); + } + + // advise browser that session cookie should only be accessible through the HTTP protocol (i.e., not JavaScript) + @ini_set('session.cookie_httponly', '1'); + // don't use the default: PHPSESSID $sessionName = defined('PIWIK_SESSION_NAME') ? PIWIK_SESSION_NAME : 'PIWIK_SESSID'; @ini_set('session.name', $sessionName); |