Improve security of PHP session variable by setting HttpOnly flag. Fixes #129.

Changelog.md

@@ -32,6 +32,7 @@
  - Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries.
  - Fixed tag links at the bottom of pages for tags with a single quote (`'`) in them.
  - Correct error message when attempting to move a page
+ - Improved security of PHP session cookie by setting HttpOnly flag.
 
 ## v0.12.1
 

build/index.php

@@ -52,7 +52,7 @@ $guiConfig = <<<'GUICONFIG'
 	}},
 	"admins": {"type": "array", "description": "An array of usernames that are administrators. Administrators can delete and move pages.", "default": [ "admin" ]},
 	"anonymous_user_name": { "type": "text", "description": "The default name for anonymous users.", "default": "Anonymous" },
-	"user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang  their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699;" },
+	"user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang  their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699; " },
 	"use_sha3": {"type": "checkbox", "description": "Whether to use the new sha3 hashing algorithm for passwords etc.", "default": false },
 	"require_login_view": {"type": "checkbox", "description": "Whether to require that users login before they do anything else. Best used with the data_storage_dir option.", "default": false},
 	"data_storage_dir": {"type": "text", "description": "The directory in which to store all files, except the main index.php.", "default": "."},
@@ -357,7 +357,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
 
 session_start();
 // Make sure that the login cookie lasts beyond the end of the user's session
-setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
+setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
 ///////// Login System /////////
 // Clear expired sessions
 if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and
@@ -1377,7 +1377,7 @@ class page_renderer
 						{
 							$result .= "<span class='inflexible logged-in" . ($env->is_logged_in ? " moderator" : " normal-user") . "'>";
 							if(module_exists("feature-user-preferences")) {
-								$result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a> ";
+								$result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a>";
 							}
 							$result .= self::render_username($env->user) . " <small>(<a href='index.php?action=logout'>Logout</a>)</small>";
 							$result .= "</span>";

core.php

@@ -39,7 +39,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
 
 session_start();
 // Make sure that the login cookie lasts beyond the end of the user's session
-setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
+setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
 ///////// Login System /////////
 // Clear expired sessions
 if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and