Kryptronic Software Support Forum

htw_simon · 11-08-2012 09:54:30

How do I add the HTTPONLY attribute to the cookie that includes 'sid='?

Thanks,

Simon

htw_simon · 11-14-2012 05:07:11

For anyone else where this comes up on their PCI compliance edit the file {PRIVATE}>core>CORE_Session>CORE_Session.php and change:

Code:

if ($this->ssl) {

     $domain     = $this->globals('core.cookie_domain_ssl');
     $path       = $this->globals('core.cookie_path_ssl');

} else {

     $domain     = $this->globals('core.cookie_domain_nonssl');
     $path       = $this->globals('core.cookie_path_nonssl');

} // End of if statement.

if (!(preg_match('/\/$/',$path))) {$path .= '/';}

setcookie($name, $value, $expiration, $path, $domain);

to this:

Code:

if ($this->ssl) {

     $domain     = $this->globals('core.cookie_domain_ssl');
     $path       = $this->globals('core.cookie_path_ssl');
     $secure = 1;

} else {

     $domain     = $this->globals('core.cookie_domain_nonssl');
     $path       = $this->globals('core.cookie_path_nonssl');
     $secure = 0;

} // End of if statement.

if (!(preg_match('/\/$/',$path))) {$path .= '/';}

$httponly = 1;

setcookie($name, $value, $expiration, $path, $domain, $secure, $httponly);

Kryptronic Software Support Forum

#1 11-08-2012 09:54:30

Session Cookie Attribute

#2 11-14-2012 05:07:11

Re: Session Cookie Attribute

Code:

Code:

Board footer