* @param $value String Value to set
* @param $exp Int Expiration time, as a UNIX time value;
* if 0 or not specified, use the default $wgCookieExpiration
+ * @param $secure Bool
+ * true: Force setting the secure attribute when setting the cookie
+ * false: Force NOT setting the secure attribute when setting the cookie
+ * null (default): Use the default ($wgCookieSecure) to set the secure attribute
*/
- protected function setCookie( $name, $value, $exp = 0 ) {
- $this->getRequest()->response()->setcookie( $name, $value, $exp );
+ protected function setCookie( $name, $value, $exp = 0, $secure = null ) {
+ $this->getRequest()->response()->setcookie( $name, $value, $exp, null, null, $secure );
}
/**
$this->setCookie( $name, $value );
}
}
+
+ /**
+ * If wpStickHTTPS was selected, also set an insecure cookie that
+ * will cause the site to redirect the user to HTTPS, if they access
+ * it over HTTP. Bug 29898.
+ */
+ if ( $request->getCheck( 'wpStickHTTPS' ) ) {
+ $this->setCookie( 'forceHTTPS', 'true', time() + 2592000, false ); //30 days
+ }
}
/**
$this->clearCookie( 'UserID' );
$this->clearCookie( 'Token' );
+ $this->clearCookie( 'forceHTTPS' );
# Remember when user logged out, to prevent seeing cached pages
$this->setCookie( 'LoggedOut', wfTimestampNow(), time() + 86400 );
* @param $expire Int: number of seconds til cookie expires
* @param $prefix String: Prefix to use, if not $wgCookiePrefix (use '' for no prefix)
* @param @domain String: Cookie domain to use, if not $wgCookieDomain
+ * @param $forceSecure Bool:
+ * true: force the cookie to be set with the secure attribute
+ * false: force the cookie to be set without the secure attribute
+ * null: use the value from $wgCookieSecure
*/
- public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null ) {
+ public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null, $forceSecure = null ) {
global $wgCookiePath, $wgCookiePrefix, $wgCookieDomain;
global $wgCookieSecure,$wgCookieExpiration, $wgCookieHttpOnly;
if ( $expire == 0 ) {
if( $domain === null ) {
$domain = $wgCookieDomain;
}
+
+ if ( is_null( $forceSecure ) ) {
+ $secureCookie = $wgCookieSecure;
+ } else {
+ $secureCookie = $forceSecure;
+ }
+
$httpOnlySafe = wfHttpOnlySafe() && $wgCookieHttpOnly;
wfDebugLog( 'cookie',
'setcookie: "' . implode( '", "',
$expire,
$wgCookiePath,
$domain,
- $wgCookieSecure,
+ $secureCookie,
$httpOnlySafe ) ) . '"' );
setcookie( $prefix . $name,
$value,
$expire,
$wgCookiePath,
$domain,
- $wgCookieSecure,
+ $secureCookie,
$httpOnlySafe );
}
}
* @param $domain TODO DOCUMENT (Default: null)
*
*/
- public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null ) {
+ public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null, $forceSecure = null ) {
$this->cookies[$name] = $value;
}
if ( !defined( 'MW_NO_SETUP' ) ) {
require_once( MWInit::compiledPath( "includes/Setup.php" ) );
}
-
$request = $this->context->getRequest();
+ if ( $request->getCookie( 'forceHTTPS' )
+ && $request->detectProtocol() == 'http'
+ && $request->getMethod() == 'GET'
+ ) {
+ $redirUrl = $request->getFullRequestURL();
+ $redirUrl = str_replace( 'http://' , 'https://' , $redirUrl );
+
+ // Setup dummy Title, otherwise OutputPage::redirect will fail
+ $title = Title::newFromText( NS_MAIN, 'REDIR' );
+ $this->context->setTitle( $title );
+ $output = $this->context->getOutput();
+ $output->redirect( $redirUrl );
+ $output->output();
+ wfProfileOut( __METHOD__ );
+ return;
+ }
+
// Send Ajax requests to the Ajax dispatcher.
if ( $wgUseAjax && $request->getVal( 'action', 'view' ) == 'ajax' ) {