From 69ce23010727b6fc9259abac125765d15995969a Mon Sep 17 00:00:00 2001
From: Alex Grintsvayg <alex@usetopscore.com>
Date: Thu, 28 Jul 2016 15:59:47 -0400
Subject: [PATCH] actually enable secure cookies

---
 controller/Session.class.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/controller/Session.class.php b/controller/Session.class.php
index bebd861b..229072b8 100644
--- a/controller/Session.class.php
+++ b/controller/Session.class.php
@@ -18,10 +18,15 @@ class Session
 
   public static function init()
   {
-    session_start([
-      'cookie_secure' => IS_PRODUCTION, // cookie over ssl only
-      'cookie_httponly' => true, // no js access
-    ]);
+    ini_set('session.cookie_secure', IS_PRODUCTION); // send cookie over ssl only
+    ini_set('session.cookie_httponly', true); // no js access to cookies
+    session_start();
+
+    if (!static::get('secure_and_httponly_set'))
+    {
+      session_regenerate_id(); // ensure that old cookies get new settings
+    }
+    static::set('secure_and_httponly_set', true);
   }
 
   public static function get($key, $default = null)