From 56eab502606c2c1bb2e64f08e27db1467d211b4f Mon Sep 17 00:00:00 2001
From: Ayumi <57409060+ayumi-cloud@users.noreply.github.com>
Date: Sat, 14 Dec 2019 17:14:23 +0000
Subject: [PATCH] Documented session.http_only (#4743)

Credit to @ayumi-cloud
---
 config/session.php                     | 13 +++++++++++++
 modules/backend/classes/Controller.php |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/config/session.php b/config/session.php
index bfb16513b..ab762f221 100644
--- a/config/session.php
+++ b/config/session.php
@@ -137,6 +137,19 @@ return [
 
     'domain' => null,
 
+    /*
+    |--------------------------------------------------------------------------
+    | HTTP Access Only
+    |--------------------------------------------------------------------------
+    |
+    | Setting this value to true will prevent JavaScript from accessing the
+    | value of the cookie and the cookie will only be accessible through
+    | the HTTP protocol. You are free to modify this option if needed.
+    |
+    */
+    
+    'http_only' => true,
+
     /*
     |--------------------------------------------------------------------------
     | HTTPS Only Cookies
diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index 01ac494f5..c4e64b6ba 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -277,6 +277,7 @@ class Controller extends ControllerBase
         if ($ajaxResponse = $this->execAjaxHandlers()) {
             $result = $ajaxResponse;
         }
+
         /*
          * Execute postback handler
          */
@@ -287,6 +288,7 @@ class Controller extends ControllerBase
         ) {
             $result = $handlerResponse;
         }
+
         /*
          * Execute page action
          */