Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'
The pre-SessionManager code did this, and the change in combination with the API not honoring forceHTTPS led to T124252. Bug: T124252 Change-Id: Ic6a79fbb30491040facd7c200b1f47d6b99ce637
This commit is contained in:
Brad Jorsch
parent
7491b52f70
commit
4eeff5b559
2 changed files with 5 additions and 2 deletions
|
|
@ -176,7 +176,10 @@ class CookieSessionProvider extends SessionProvider {
|
|||
|
||||
$forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
|
||||
if ( $forceHTTPS ) {
|
||||
$options['secure'] = true;
|
||||
// Don't set the secure flag if the request came in
|
||||
// over "http", for backwards compat.
|
||||
// @todo Break that backwards compat properly.
|
||||
$options['secure'] = $this->config->get( 'CookieSecure' );
|
||||
}
|
||||
|
||||
$response->setCookie( $this->params['sessionName'], $session->getId(), null,
|
||||
|
|
|
|||
|
|
@ -431,7 +431,7 @@ class CookieSessionProviderTest extends MediaWikiTestCase {
|
|||
'cookieOptions' => array( 'prefix' => 'x' ),
|
||||
) );
|
||||
$config = $this->getConfig();
|
||||
$config->set( 'CookieSecure', false );
|
||||
$config->set( 'CookieSecure', $secure );
|
||||
$provider->setLogger( new \TestLogger() );
|
||||
$provider->setConfig( $config );
|
||||
$provider->setManager( SessionManager::singleton() );
|
||||
|
|
|
|||
Loading…
Reference in a new issue