The pre-SessionManager code did this, and the change in combination with
the API not honoring forceHTTPS led to T124252.
Bug: T124252
Change-Id: Ic6a79fbb30491040facd7c200b1f47d6b99ce637
$forceHTTPS = $session->shouldForceHTTPS() || $user->requiresHTTPS();
if ( $forceHTTPS ) {
- $options['secure'] = true;
+ // Don't set the secure flag if the request came in
+ // over "http", for backwards compat.
+ // @todo Break that backwards compat properly.
+ $options['secure'] = $this->config->get( 'CookieSecure' );
}
$response->setCookie( $this->params['sessionName'], $session->getId(), null,
'cookieOptions' => array( 'prefix' => 'x' ),
) );
$config = $this->getConfig();
- $config->set( 'CookieSecure', false );
+ $config->set( 'CookieSecure', $secure );
$provider->setLogger( new \TestLogger() );
$provider->setConfig( $config );
$provider->setManager( SessionManager::singleton() );