diff options
| author | Brad Jorsch <bjorsch@wikimedia.org> | 2016-01-25 14:15:40 -0500 |
|---|---|---|
| committer | Brad Jorsch <bjorsch@wikimedia.org> | 2016-01-25 14:25:09 -0500 |
| commit | 4eeff5b559e2ae7b8fa1f45572968ba28573a421 (patch) | |
| tree | 6aef2cc5a30b5c01ded357184ed699165a38adfb /includes/session | |
| parent | 7491b52f700e220814a8190781fd794b4dd88a20 (diff) | |
| download | mediawikicore-4eeff5b559e2ae7b8fa1f45572968ba28573a421.tar.gz mediawikicore-4eeff5b559e2ae7b8fa1f45572968ba28573a421.zip | |
Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
The pre-SessionManager code did this, and the change in combination with
the API not honoring forceHTTPS led to T124252.
Bug: T124252
Change-Id: Ic6a79fbb30491040facd7c200b1f47d6b99ce637
Diffstat (limited to 'includes/session')
| -rw-r--r-- | includes/session/CookieSessionProvider.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/includes/session/CookieSessionProvider.php b/includes/session/CookieSessionProvider.php index 915127ff3c8d..2d01d1d0f408 100644 --- a/includes/session/CookieSessionProvider.php +++ b/includes/session/CookieSessionProvider.php @@ -176,7 +176,10 @@ class CookieSessionProvider extends SessionProvider { $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS(); if ( $forceHTTPS ) { - $options['secure'] = true; + // Don't set the secure flag if the request came in + // over "http", for backwards compat. + // @todo Break that backwards compat properly. + $options['secure'] = $this->config->get( 'CookieSecure' ); } $response->setCookie( $this->params['sessionName'], $session->getId(), null, |