Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure'

[lhc/web/wiklou.git] / includes / session / CookieSessionProvider.php

diff --git a/includes/session/CookieSessionProvider.php b/includes/session/CookieSessionProvider.php
index 915127f..2d01d1d 100644 (file)
--- a/includes/session/CookieSessionProvider.php
+++ b/includes/session/CookieSessionProvider.php
@@ -176,7 +176,10 @@ class CookieSessionProvider extends SessionProvider {
 
                $forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
                if ( $forceHTTPS ) {
-                       $options['secure'] = true;
+                       // Don't set the secure flag if the request came in
+                       // over "http", for backwards compat.
+                       // @todo Break that backwards compat properly.
+                       $options['secure'] = $this->config->get( 'CookieSecure' );
                }
 
                $response->setCookie( $this->params['sessionName'], $session->getId(), null,