From 47dec494658566772a0bdf9c0f2a97113acfb481 Mon Sep 17 00:00:00 2001
From: ctrlcctrlv <wizardchan@hush.com>
Date: Sun, 18 Aug 2013 01:44:36 +0000
Subject: [PATCH] Optionally access mod cookie in JavaScript

---
 inc/config.php   | 3 +++
 inc/mod/auth.php | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/inc/config.php b/inc/config.php
index f0e3ea9f..ba336d48 100644
--- a/inc/config.php
+++ b/inc/config.php
@@ -1070,6 +1070,9 @@
 	// Replace ?/config with a simple text editor for editing inc/instance-config.php.
 	$config['mod']['config_editor_php'] = false;
 
+	// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
+	$config['mod']['cookie_httponly'] = true;
+
 /*
  * ====================
  *  Mod permissions
diff --git a/inc/mod/auth.php b/inc/mod/auth.php
index bfab0f7e..5f449e0f 100644
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@@ -72,7 +72,7 @@ function setCookies() {
 			$mod['hash'][0] . // password
 			':' .
 			$mod['hash'][1], // salt
-		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, true);
+		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, false, $config['mod']['cookie_httponly']);
 }
 
 function destroyCookies() {