Merge pull request #199 from tandrup/httpOnly-cookies

Add httpOnly to cookies on login page. Solves #4565.
2026-06-20 19:30:30 +01:00 · 2015-04-01 21:03:44 -07:00
parent ab1095e529 30168f57bb
commit 2a8797c49c
2 changed files with 6 additions and 0 deletions
--- a/pam_login.cgi
+++ b/pam_login.cgi
@@ -23,6 +23,9 @@ if ($gconfig{'loginbanner'} && $ENV{'HTTP_COOKIE'} !~ /banner=1/ &&
 	return;
 	}
 $sec = uc($ENV{'HTTPS'}) eq 'ON' ? "; secure" : "";
+if (!$config{'no_httponly'}) {
+	$sec .= "; httpOnly";
+}
 &get_miniserv_config(\%miniserv);
 $sidname = $miniserv{'sidname'} || "sid";
 print "Set-Cookie: banner=0; path=/$sec\r\n" if ($gconfig{'loginbanner'});
--- a/session_login.cgi
+++ b/session_login.cgi
@@ -24,6 +24,9 @@ if ($gconfig{'loginbanner'} && $ENV{'HTTP_COOKIE'} !~ /banner=1/ &&
 	return;
 	}
 $sec = uc($ENV{'HTTPS'}) eq 'ON' ? "; secure" : "";
+if (!$config{'no_httponly'}) {
+	$sec .= "; httpOnly";
+}
 &get_miniserv_config(\%miniserv);
 $sidname = $miniserv{'sidname'} || "sid";
 print "Set-Cookie: banner=0; path=/$sec\r\n" if ($gconfig{'loginbanner'});