Browse Source

Check application.ssl when setting a secure cookie

Most SLL-related code in Laravel checks to see if `application.ssl`
is true before doing an action requiring it. `Cookie::put()` is the
only exception that I've found, to date, that doesn't test for SSL.

This checks to see that the SSL is enabled when attempting to set a
secure cookie.

To verify, set `application.ssl` to false (without this patch) then
run:

	Cookie::put('foo', 'bar', 0, '/', null, true);

You will get an exception because of line 90 in `cookie.php`:

		if ($secure and ! Request::secure())
		{
			throw new \Exception("Attempting to set secure cookie over HTTP.");
		}

With this patch you will not get this error unless both `application.ssl`
is true, and the cookie `$secure` flag is set.
Robert K 11 years ago
parent
commit
785e168f5e
1 changed files with 4 additions and 0 deletions
  1. 4 0
      laravel/cookie.php

+ 4 - 0
laravel/cookie.php

@@ -82,6 +82,10 @@ class Cookie {
 
 		$value = static::hash($value).'+'.$value;
 
+		// If the developer has explicitly disabled SLL, then we shouldn't force
+		// this cookie over SSL.
+		$secure = $secure && Config::get('application.ssl');
+
 		// If the secure option is set to true, yet the request is not over HTTPS
 		// we'll throw an exception to let the developer know that they are
 		// attempting to send a secure cookie over the insecure HTTP.