From 06f43faefd0f212447b9776718ec61c5ebc6de61 Mon Sep 17 00:00:00 2001
From: darwinel <kmorssink@gmail.com>
Date: Sun, 9 Feb 2014 01:26:26 +0100
Subject: CodeIgniter support some basic web security by default!
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I think its better to enable this basic security options by default.
It’s more likely that users who build a new website or application from
ground up, and use CodeIgniter can get used to this and eventually turn
this off. From a web security perspective, we can support a more secure
web, by default! Who agrees?
---
 application/config/config.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/application/config/config.php b/application/config/config.php
index ae748defd..4ee87ae24 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -302,11 +302,11 @@ $config['sess_driver']			= 'cookie';
 $config['sess_valid_drivers']	= array();
 $config['sess_cookie_name']		= 'ci_session';
 $config['sess_expiration']		= 7200;
-$config['sess_expire_on_close']	= FALSE;
-$config['sess_encrypt_cookie']	= FALSE;
+$config['sess_expire_on_close']	= TRUE;
+$config['sess_encrypt_cookie']	= TRUE;
 $config['sess_use_database']	= FALSE;
 $config['sess_table_name']		= 'ci_sessions';
-$config['sess_match_ip']		= FALSE;
+$config['sess_match_ip']		= TRUE;
 $config['sess_match_useragent']	= TRUE;
 $config['sess_time_to_update']	= 300;
 
@@ -351,7 +351,7 @@ $config['standardize_newlines'] = TRUE;
 | COOKIE data is encountered
 |
 */
-$config['global_xss_filtering'] = FALSE;
+$config['global_xss_filtering'] = TRUE;
 
 /*
 |--------------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b