From ba9f4461d8935bb9de256a5bedf0c89d3d317c7f Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 8 Mar 2016 19:00:04 +0100
Subject: Secure cookie HTTPS

---
 lib/Minz/Request.php | 17 ++++++++++++-----
 lib/Minz/Session.php |  6 +++---
 2 files changed, 15 insertions(+), 8 deletions(-)

(limited to 'lib')

diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index effb9943c..81457df9e 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -84,6 +84,17 @@ class Minz_Request {
 		self::magicQuotesOff();
 	}
 
+	/**
+	 * Return true if the request is over HTTPS, false otherwise (HTTP)
+	 */
+	public static function isHttps() {
+		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+			return strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
+		} else {
+			return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
+		}
+	}
+
 	/**
 	 * Try to guess the base URL from $_SERVER information
 	 *
@@ -92,11 +103,7 @@ class Minz_Request {
 	public static function guessBaseUrl() {
 		$url = 'http';
 
-		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
-			$https = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
-		} else {
-			$https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
-		}
+		$https = self::isHttps();
 
 		if (!empty($_SERVER['HTTP_HOST'])) {
 			$host = $_SERVER['HTTP_HOST'];
diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 940cd27d9..c94f2b646 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -73,7 +73,7 @@ class Minz_Session {
 	 * @param $l la durée de vie
 	 */
 	public static function keepCookie($l) {
-		session_set_cookie_params($l, self::getCookieDir(), '', false, true);
+		session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true);
 	}
 
 
@@ -86,11 +86,11 @@ class Minz_Session {
 	}
 
 	public static function deleteLongTermCookie($name) {
-		setcookie($name, '', 1, '', '', false, true);
+		setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true);
 	}
 
 	public static function setLongTermCookie($name, $value, $expire) {
-		setcookie($name, $value, $expire, '', '', false, true);
+		setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true);
 	}
 
 	public static function getLongTermCookie($name) {
-- 
cgit v1.2.3