Index: includes/session.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/session.inc,v
retrieving revision 1.44.2.7
diff -u -p -r1.44.2.7 session.inc
--- includes/session.inc        4 Mar 2010 00:15:28 -0000       1.44.2.7
+++ includes/session.inc        19 May 2010 16:15:35 -0000
@@ -99,6 +99,12 @@ function sess_regenerate() {
     setcookie(session_name(), '', time() - 42000, '/');
   }

+  if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
+    extract(session_get_cookie_params());
+    // Set "httponly" to TRUE to reduce the risk of session stealing via XSS.
+    // This has no effect for PHP < 5.2.0.
+    session_set_cookie_params($lifetime, $path, $domain, $secure, TRUE);
+  }
   session_regenerate_id();

   db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);