From 06379c5470a02f4086d2903b74975879a468d938 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Mon, 18 Aug 2008 18:56:01 +0000
Subject: [PATCH] - Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting
 over-written by non-SSL cookie.

---
 includes/bootstrap.inc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 8fb6aff37f3..c516c68132a 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -373,6 +373,15 @@ function conf_init() {
       $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
     }
   }
+  // To prevent session cookies from being hijacked, a user can configure the
+  // SSL version of their website to only transfer session cookies via SSL by
+  // using PHP's session.cookie_secure setting. The browser will then use two
+  // separate session cookies for the HTTPS and HTTP versions of the site. So we
+  // must use different session identifiers for HTTPS and HTTP to prevent a
+  // cookie collision.
+  if (ini_get('session.cookie_secure')) {
+    $session_name .= 'SSL';
+  }
   // Strip leading periods, www., and port numbers from cookie domain.
   $cookie_domain = ltrim($cookie_domain, '.');
   if (strpos($cookie_domain, 'www.') === 0) {