- Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
--- includes/bootstrap.inc 2008/07/09 19:15:59 1.206.2.3
+++ includes/bootstrap.inc 2008/08/18 18:56:30 1.206.2.4
@@ -329,6 +329,15 @@
$cookie_domain = check_plain($_SERVER['HTTP_HOST']);
}
}
+ // To prevent session cookies from being hijacked, a user can configure the
+ // SSL version of their website to only transfer session cookies via SSL by
+ // using PHP's session.cookie_secure setting. The browser will then use two
+ // separate session cookies for the HTTPS and HTTP versions of the site. So we
+ // must use different session identifiers for HTTPS and HTTP to prevent a
+ // cookie collision.
+ if (ini_get('session.cookie_secure')) {
+ $session_name .= 'SSL';
+ }
// Strip leading periods, www., and port numbers from cookie domain.
$cookie_domain = ltrim($cookie_domain, '.');
if (strpos($cookie_domain, 'www.') === 0) {