From 30168f57bb31f50575e5e472b111d0a0ef5423a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mads=20M=C3=A6tzke=20Tandrup?= <mads@maetzke-tandrup.dk>
Date: Wed, 1 Apr 2015 14:37:02 +0200
Subject: [PATCH] Add httpOnly to cookies on login page. Solves #4565.

Add httpOnly to pam_login and session_login to avoid security scans reporting false positives on cookies without httpOnly
---
 pam_login.cgi     | 3 +++
 session_login.cgi | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/pam_login.cgi b/pam_login.cgi
index e158d2773..fa75c1091 100755
--- a/pam_login.cgi
+++ b/pam_login.cgi
@@ -23,6 +23,9 @@ if ($gconfig{'loginbanner'} && $ENV{'HTTP_COOKIE'} !~ /banner=1/ &&
 	return;
 	}
 $sec = uc($ENV{'HTTPS'}) eq 'ON' ? "; secure" : "";
+if (!$config{'no_httponly'}) {
+	$sec .= "; httpOnly";
+}
 &get_miniserv_config(\%miniserv);
 $sidname = $miniserv{'sidname'} || "sid";
 print "Set-Cookie: banner=0; path=/$sec\r\n" if ($gconfig{'loginbanner'});
diff --git a/session_login.cgi b/session_login.cgi
index e1ccec7d5..8edfebe70 100755
--- a/session_login.cgi
+++ b/session_login.cgi
@@ -24,6 +24,9 @@ if ($gconfig{'loginbanner'} && $ENV{'HTTP_COOKIE'} !~ /banner=1/ &&
 	return;
 	}
 $sec = uc($ENV{'HTTPS'}) eq 'ON' ? "; secure" : "";
+if (!$config{'no_httponly'}) {
+	$sec .= "; httpOnly";
+}
 &get_miniserv_config(\%miniserv);
 $sidname = $miniserv{'sidname'} || "sid";
 print "Set-Cookie: banner=0; path=/$sec\r\n" if ($gconfig{'loginbanner'});