From 5b2dfce98ac05a68543b7603f3d46afafc09086d Mon Sep 17 00:00:00 2001
From: JediKev <kevin@enhancesoft.com>
Date: Thu, 19 Oct 2017 12:50:34 -0500
Subject: [PATCH] issue: Httponly Cookies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This addresses issue 4015 where osTicket’s cookies aren’t HttpOnly by
default. The HttpOnly flag helps prevent client scripts accessing the
cookie. This updates the method that sets the cookie params to include
the HttpOnly flag.
---
 include/class.ostsession.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index dbb5cf631..5dd979e02 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -53,7 +53,7 @@ class osTicketSession {
             list($domain) = explode(':', $_SERVER['HTTP_HOST']);
 
         session_set_cookie_params($ttl, ROOT_PATH, $domain,
-            osTicket::is_https());
+            osTicket::is_https(), true);
 
         if (!defined('SESSION_BACKEND'))
             define('SESSION_BACKEND', 'db');
-- 
GitLab