From 2fe0f1a071ba903b441240ab32c1cdb01dd0738b Mon Sep 17 00:00:00 2001
From: oricgn <oliver@riesen.org>
Date: Thu, 14 Apr 2016 13:40:50 +0200
Subject: [PATCH] Set cookies with httponly

---
 include/api/user.php | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/include/api/user.php b/include/api/user.php
index 391d6fc8a..8ef6b7887 100644
--- a/include/api/user.php
+++ b/include/api/user.php
@@ -2167,7 +2167,10 @@ function phorum_api_user_session_create($type, $reset = 0)
                 PHORUM_SESSION_LONG_TERM,
                 $user['user_id'].':'.$sessid_lt,
                 $timeout,
-                $PHORUM['session_path'], $PHORUM['session_domain']
+                $PHORUM['session_path'],
+                $PHORUM['session_domain'],
+                false,
+                true // httponly
             );
         } else {
             // Add the session id to the URL building GET variables.
@@ -2187,7 +2190,10 @@ function phorum_api_user_session_create($type, $reset = 0)
                 PHORUM_SESSION_SHORT_TERM,
                 $user['user_id'].':'.$user['sessid_st'],
                 $user['sessid_st_timeout'],
-                $PHORUM['session_path'], $PHORUM['session_domain']
+                $PHORUM['session_path'],
+                $PHORUM['session_domain'],
+                false,
+                true // httponly
             );
         }
     }
@@ -2198,7 +2204,10 @@ function phorum_api_user_session_create($type, $reset = 0)
             PHORUM_SESSION_ADMIN,
             $user['user_id'].':'.$sessid_admin,
             0, // admin sessions are destroyed as soon as the browser closes
-            $PHORUM['session_path'], $PHORUM['session_domain']
+            $PHORUM['session_path'],
+            $PHORUM['session_domain'],
+            false,
+            true // httponly
         );
     }