Improve security of PHP session variable by setting HttpOnly flag. Fixes #129.

Changelog.md

@@ -32,6 +32,7 @@
  - Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries.
  - Fixed tag links at the bottom of pages for tags with a single quote (`'`) in them.
  - Correct error message when attempting to move a page
+ - Improved security of PHP session cookie by setting HttpOnly flag.
 
 ## v0.12.1
 

build/index.php

@@ -357,7 +357,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
 
 session_start();
 // Make sure that the login cookie lasts beyond the end of the user's session
-setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
+setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
 ///////// Login System /////////
 // Clear expired sessions
 if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and

core.php

@@ -39,7 +39,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
 
 session_start();
 // Make sure that the login cookie lasts beyond the end of the user's session
-setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
+setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
 ///////// Login System /////////
 // Clear expired sessions
 if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and