When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.
Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.
Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit
9ba8f8d12475a37848eaadae0effae8d956e3342)
return true;
}
+ // Use secure cookies if we are on HTTPS
+ $options = [];
+ if ( $this->request->getProtocol() === 'https' ) {
+ $options['cookie_secure'] = '1';
+ }
+
$this->phpErrors = [];
set_error_handler( [ $this, 'errorHandler' ] );
try {
session_name( 'mw_installer_session' );
- session_start();
+ session_start( $options );
} catch ( Exception $e ) {
restore_error_handler();
throw $e;