defr/drupal/core: includes/bootstrap.inc comparison

Drupal 6.5

author	Franck Deroche <webmaster@defr.org>
date	Tue, 23 Dec 2008 14:32:19 +0100
parents	fff6d4c8c043
children	8b6c45761e01

comparison

equal deleted inserted replaced

-:6f15c9d74937
+:589fb7c02327
 <?php
-// $Id: bootstrap.inc,v 1.206.2.3 2008/07/09 19:15:59 goba Exp $
+// $Id: bootstrap.inc,v 1.206.2.4 2008/08/18 18:56:30 dries Exp $
 /**
 * @file
 * Functions that need to be loaded on every Drupal request.
 */
 list( , $session_name) = explode('://', $base_url, 2);
 // We escape the hostname because it can be modified by a visitor.
 if (!empty($_SERVER['HTTP_HOST'])) {
 $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
 }
+}
+// To prevent session cookies from being hijacked, a user can configure the
+// SSL version of their website to only transfer session cookies via SSL by
+// using PHP's session.cookie_secure setting. The browser will then use two
+// separate session cookies for the HTTPS and HTTP versions of the site. So we
+// must use different session identifiers for HTTPS and HTTP to prevent a
+// cookie collision.
+if (ini_get('session.cookie_secure')) {
+$session_name .= 'SSL';
 }
 // Strip leading periods, www., and port numbers from cookie domain.
 $cookie_domain = ltrim($cookie_domain, '.');
 if (strpos($cookie_domain, 'www.') === 0) {
 $cookie_domain = substr($cookie_domain, 4);

Mercurial > defr > drupal > core