From cf8602eedd4a31eadb72372fc878c12d342f8600 Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Sat, 11 Sep 2021 19:34:32 +0100
Subject: [PATCH] set httponly to true when calling setcookie. the ini_set
 option above doesn't actually seem to do anything... (but not removing it
 just in case

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 scripts/pi-hole/php/password.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php
index 01e7efd69..91888a0b8 100644
--- a/scripts/pi-hole/php/password.php
+++ b/scripts/pi-hole/php/password.php
@@ -50,7 +50,8 @@
             {
                 $auth = true;
                 // Refresh cookie with new expiry
-                setcookie('persistentlogin', $pwhash, time()+60*60*24*7);
+                // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
+                setcookie('persistentlogin', $pwhash, time()+60*60*24*7, null, null, null, true );
             }
             else
             {
@@ -79,7 +80,8 @@
                     // Set persistent cookie if selected
                     if (isset($_POST['persistentlogin']))
                     {
-                        setcookie('persistentlogin', $pwhash, time()+60*60*24*7);
+                        // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
+                        setcookie('persistentlogin', $pwhash, time()+60*60*24*7, null, null, null, true );
                     }
                     header('Location: index.php');
                     exit();