}
$options = $this->cookieOptions;
- if ( $session->shouldForceHTTPS() || $user->requiresHTTPS() ) {
- $response->setCookie( 'forceHTTPS', 'true', $session->shouldRememberUser() ? 0 : null,
- array( 'prefix' => '', 'secure' => false ) + $options );
- $options['secure'] = true;
+
+ $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
+ if ( $forceHTTPS ) {
+ // Don't set the secure flag if the request came in
+ // over "http", for backwards compat.
+ // @todo Break that backwards compat properly.
+ $options['secure'] = $this->config->get( 'CookieSecure' );
}
$response->setCookie( $this->params['sessionName'], $session->getId(), null,
foreach ( $cookies as $key => $value ) {
if ( $value === false ) {
- $this->clearCookie( $request, $response, $key, $options );
+ $response->clearCookie( $key, $options );
} else {
if ( $extendedExpiry !== null && in_array( $key, $extendedCookies ) ) {
$expiry = time() + (int)$extendedExpiry;
}
}
+ $this->setForceHTTPSCookie( $forceHTTPS, $session, $request );
$this->setLoggedOutCookie( $session->getLoggedOutTimestamp(), $request );
if ( $sessionData ) {
'Token' => false,
);
- $this->clearCookie( $request, $response, $this->params['sessionName'],
- array( 'prefix' => '' ) + $this->cookieOptions );
+ $response->clearCookie(
+ $this->params['sessionName'], array( 'prefix' => '' ) + $this->cookieOptions
+ );
foreach ( $cookies as $key => $value ) {
- $this->clearCookie( $request, $response, $key, $this->cookieOptions );
+ $response->clearCookie( $key, $this->cookieOptions );
}
- $this->clearCookie( $request, $response, 'forceHTTPS',
- array( 'prefix' => '', 'secure' => false ) + $this->cookieOptions );
+ $this->setForceHTTPSCookie( false, null, $request );
+ }
+
+ /**
+ * Set the "forceHTTPS" cookie
+ * @param bool $set Whether the cookie should be set or not
+ * @param SessionBackend|null $backend
+ * @param WebRequest $request
+ */
+ protected function setForceHTTPSCookie(
+ $set, SessionBackend $backend = null, WebRequest $request
+ ) {
+ $response = $request->response();
+ if ( $set ) {
+ $response->setCookie( 'forceHTTPS', 'true', $backend->shouldRememberUser() ? 0 : null,
+ array( 'prefix' => '', 'secure' => false ) + $this->cookieOptions );
+ } else {
+ $response->clearCookie( 'forceHTTPS',
+ array( 'prefix' => '', 'secure' => false ) + $this->cookieOptions );
+ }
}
/**
return $value;
}
- /**
- * Delete a cookie. Contains an auth-specific hack.
- * @param \WebRequest $request
- * @param \WebResponse $response
- * @param string $key
- * @param array $options
- */
- protected function clearCookie( $request, $response, $key, $options = array() ) {
- global $wgCookiePrefix;
-
- $prefix = isset( $options['prefix'] ) ? $options['prefix'] : $wgCookiePrefix;
-
- if ( $request->getCookie( $key, $prefix ) ) {
- $response->clearCookie( $key, $options );
- }
- }
-
/**
* Return the data to store in cookies
* @param User $user