From f625742a12151afca34c1587bb199602ffbce633 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Tue, 12 Jun 2012 20:00:19 -0400
Subject: [PATCH] Make CakeSession use httponly by default.

Fixes #2955
---
 lib/Cake/Model/Datasource/CakeSession.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/Cake/Model/Datasource/CakeSession.php b/lib/Cake/Model/Datasource/CakeSession.php
index ae928bfa4..6baab1d5b 100644
--- a/lib/Cake/Model/Datasource/CakeSession.php
+++ b/lib/Cake/Model/Datasource/CakeSession.php
@@ -475,6 +475,9 @@ class CakeSession {
 		if (!isset($sessionConfig['ini']['session.gc_maxlifetime'])) {
 			$sessionConfig['ini']['session.gc_maxlifetime'] = $sessionConfig['timeout'] * 60;
 		}
+		if (!isset($sessionConfig['ini']['session.cookie_httponly'])) {
+			$sessionConfig['ini']['session.cookie_httponly'] = 1;
+		}
 
 		if (empty($_SESSION)) {
 			if (!empty($sessionConfig['ini']) && is_array($sessionConfig['ini'])) {