• 
  
    
 
    
 
    

    



    
    
    
    
     
    






    
 
    


 
    



    
 

 

  

  

 

    


  
    





    
 
    



  

    
 
 
    
  
    Set the Secure flag on CSRF and Session cookies when HTTPS is used.
    
 
    

    



 
    
 
    

  Review Request #11652
  —
  Created June 9, 2021 and submitted  — Latest diff uploaded 

 
    


    




    




    




 
    
  
    
   Information

  
    



    
 
 
    
  chipx86
 
    

    





    
 
 
    
  Review Board
 
    

    





    
 
 
    
  release-3.0.x
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  
 
    

    



 
    



 
    
  
    
   Reviewers

  
    



    
 
 
    
  reviewboard
 
    

    





    
 
 
    
  
 
    

    



 
    



    


    
 
    




  

    
 
 
    
  
    CSRF and Session cookies really need to be set as Secure when on HTTPS.
    
We weren't doing this before, and while it worked fine in browsers, it
    
won't for very long. In paricular, browsers are getting more strict with
    
SameSite on HTTP-only cookies on an HTTPS connection, and this can
    
prevent people from logging in or resetting passwords.
    

    This change ensures we set the right flags to enable HTTPS cookies when
    
on HTTPS mode. Unit tests were added to make sure that any cookies set
    
after changing the setting had the right state.
    
 
    

    





  

    
 
 
    
  
    Unit tests pass.
    
 
    

    




 
    

    





    
 
    









 




 
    

    




   
    
    
    
    
    
    
    
    

    
    
      
    Commits
    
      
    
        
      
    
    
    

    
    

      
    Files