Mercurial > defr > drupal > core
diff includes/bootstrap.inc @ 11:589fb7c02327 6.5
Drupal 6.5
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:32:19 +0100 |
| parents | fff6d4c8c043 |
| children | 8b6c45761e01 |
line wrap: on
line diff
--- a/includes/bootstrap.inc Tue Dec 23 14:32:08 2008 +0100 +++ b/includes/bootstrap.inc Tue Dec 23 14:32:19 2008 +0100 @@ -1,5 +1,5 @@ <?php -// $Id: bootstrap.inc,v 1.206.2.3 2008/07/09 19:15:59 goba Exp $ +// $Id: bootstrap.inc,v 1.206.2.4 2008/08/18 18:56:30 dries Exp $ /** * @file @@ -329,6 +329,15 @@ $cookie_domain = check_plain($_SERVER['HTTP_HOST']); } } + // To prevent session cookies from being hijacked, a user can configure the + // SSL version of their website to only transfer session cookies via SSL by + // using PHP's session.cookie_secure setting. The browser will then use two + // separate session cookies for the HTTPS and HTTP versions of the site. So we + // must use different session identifiers for HTTPS and HTTP to prevent a + // cookie collision. + if (ini_get('session.cookie_secure')) { + $session_name .= 'SSL'; + } // Strip leading periods, www., and port numbers from cookie domain. $cookie_domain = ltrim($cookie_domain, '.'); if (strpos($cookie_domain, 'www.') === 0) {