Updated global.inc.php to reflect the new values required for cookie configuration and documented each of the options.

2013-07-11 19:17:49 +00:00 · 2013-07-11 19:17:49 +00:00 · 638b8387c3
commit 638b8387c3
parent ed573e6e46
1 changed files with 32 additions and 5 deletions
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@ -349,16 +349,43 @@ $config['memcache']['splay'] = 15;
 /**
 * Cookie configiration
 *
- * For multiple installations of this cookie change the cookie name
+ * You can configure the cookie behaviour to secure your cookies more than the PHP defaults
+ *
+ * For multiple installations of mmcfe-ng on the same domain you must change the cookie
+ * path or change the cookie name to avoid conflicts.
+ *
+ * Description
+ *   duration: the amount of time, in seconds, that a cookie should persist in the users
+ *             browser. 0 = until closed; 1440 = 24 minutes.
+ *
+ *   domain:   the only domain name that may access this cookie in the browser
+ *
+ *   path:     the highest path on the domain that can access this cookie; i.e. if running
+ *             two pools from a single domain you might set the path /ltc/ and /ftc/ to
+ *             separate user session cookies between the two.
+ *
+ *   httponly: marks the cookie as accessible only through the HTTP protocol. The cookie
+ *             can't be accessed by scripting languages, such as JavaScript. This can
+ *             help to reduce identity theft through XSS attacks in most browsers.
+ *
+ *   secure:   marks the cookie as accessible only through the HTTPS protocol. If you're
+ *             using SSL this will stop a user accidently accessing the site without SSL
+ *             and exposing their session cookie.
 *
 * Default:
- *   path    =  '/'
- *   name    =  'POOLERCOOKIE'
- *   domain  = ''
+ *   duration = '1440'
+ *   domain   = ''
+ *   path     = '/'
+ *   name     =  'POOLERCOOKIE'
+ *   httponly = true
+ *   secure   = false
 **/
+$config['cookie']['duration'] = '1440';
+$config['cookie']['domain'] = '';
 $config['cookie']['path'] = '/';
 $config['cookie']['name'] = 'POOLERCOOKIE';
-$config['cookie']['domain'] = '';
+$config['cookie']['httponly'] = true;
+$config['cookie']['secure'] = false;

 /**
 * Enable or disable the Smarty cache