From db45be960f3ebfd07a772753742f7053352d5286 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylorotwell@gmail.com>
Date: Fri, 22 Jul 2011 08:00:14 -0700
Subject: [PATCH] Added http_only option to session configuration.

---
 application/config/session.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/application/config/session.php b/application/config/session.php
index be0e3e0d..02418705 100644
--- a/application/config/session.php
+++ b/application/config/session.php
@@ -16,7 +16,7 @@
 	|
 	*/
 
-	'driver' => '',
+	'driver' => 'file',
 
 	/*
 	|--------------------------------------------------------------------------
@@ -86,4 +86,19 @@
 
 	'https' => false,
 
+	/*
+	|--------------------------------------------------------------------------
+	| HTTP Only Session Cookie
+	|--------------------------------------------------------------------------
+	|
+	| Should the session cookie only be accessible over HTTP?
+	|
+	| Note: The intention of the "HTTP Only" option is to keep cookies from
+	|       being accessed by client-side scripting languages. However, this
+	|       setting should not be viewed as providing total XSS protection.
+	|
+	*/
+
+	'http_only' => false,
+
 );
\ No newline at end of file