Add session cookie httponly and set it to true.

app/edit/filelist.php

@@ -233,6 +233,8 @@ echo "\n";
 echo "      <TABLE BORDER=0 cellpadding='0' cellspacing='0'><TR><TD><a href='javascript:void(0);' onclick=\"if (typeof(clipwin)!='undefined') { clipwin.close(); } clipwin = window.open('fileoptions.php?folder=".urlencode($_SERVER["DOCUMENT_ROOT"])."','null','left=20,top=20,width=310,height=300,toolbar=0,resizable=0');\" style='text-decoration:none;' title=''><IMG SRC=\"images/folder.gif\" border='0'> ".$text['label-files']." </a><DIV style=''>\n"; //display:none
 //echo "      <TABLE BORDER=0 cellpadding='0' cellspacing='0'><TR><TD><A onClick=\"Toggle(this)\"><IMG SRC=\"images/plus.gif\"> <IMG SRC=\"images/folder.gif\"> Files </A><DIV style=''>\n"; //display:none
 
+//start the session
+ini_set("session.cookie_httponly", True);
 session_start();
 if ($_SESSION["app"]["edit"]["dir"] == "scripts") {
 	echo recur_dir($_SESSION['switch']['scripts']['dir']);

app/edit/fileoptionslist.php

@@ -228,6 +228,7 @@ echo "      <TABLE BORDER=0 cellpadding='0' cellspacing='0'><TR><TD><IMG SRC=\"i
 //echo "</DIV></TD></TR></TABLE>\n";
 //echo "</DIV></TD></TR></TABLE>\n";
 
+ini_set("session.cookie_httponly", True);
 session_start();
 if ($_SESSION["app"]["edit"]["dir"] == "scripts") {
 	echo recur_dir($_SESSION['switch']['scripts']['dir']);

core/users/signup.php

@@ -82,7 +82,7 @@ if (count($_POST) > 0 && check_str($_POST["persistform"]) != "1") {
 	$msg = '';
 
 	//--- begin captcha verification ---------------------
-		//session_start(); //make sure sessions are started
+		//ini_set("session.cookie_httponly", True); //session_start(); //make sure sessions are started
 		if (strtolower($_SESSION["captcha"]) != strtolower($_REQUEST["captcha"]) || strlen($_SESSION["captcha"]) == 0) {
 			//$msg .= "Captcha Verification Failed<br>\n";
 		}

index.php

@@ -26,6 +26,7 @@
 include "root.php";
 
 // start the session
+	ini_set("session.cookie_httponly", True);
 	session_start();
 
 //if config.php file does not exist then redirect to the install page

login.php

@@ -26,6 +26,7 @@
 include "root.php";
 
 //start session
+	ini_set("session.cookie_httponly", True);
 	session_start();
 
 //retain message

resources/captcha/config.php

@@ -63,7 +63,7 @@ $pathtofonts = "/captcha/fonts/"; //path from the root of the website
     //add this to the top of the page where the form is submitted to
 
         //--- begin captcha verification ---------------------
-          //session_start(); //make sure sessions are started
+          //ini_set("session.cookie_httponly", True); session_start(); //make sure sessions are started
           if (strtolower($_SESSION["captcha"]) != strtolower($_REQUEST["captcha"]) || strlen($_SESSION["captcha"]) == 0) {
 
               echo "       <span class=\"h2\">Sorry!</span>\n";

resources/captcha/img.php

@@ -26,8 +26,10 @@
 include "root.php";
 require_once "config.php";
 error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING ); //hide notices and warnings
-session_start();
 
+//start the session
+ini_set("session.cookie_httponly", True);
+session_start();
 
 // Captcha verification image -----------------------
 // Description this page is used to verify the captcha

resources/check_auth.php

@@ -31,6 +31,7 @@ require_once "resources/require.php";
 	}
 
 //start the session
+	ini_set("session.cookie_httponly", True);
 	session_start();
 
 //if the username session is not set the check username and password

resources/php.php

@@ -29,6 +29,7 @@
 
 	//session handling
 		//start the session
+			ini_set("session.cookie_httponly", True);
 			session_start();
 		//regenerate sessions to avoid session id attacks such as session fixation
 			if ($_SESSION['security']['session_rotate']['boolean'] == "true") {