jenkins-bot has submitted this change and it was merged. Change subject: Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure' ......................................................................
Use $wgSecureCookie to decide whether to actually mark secure cookies as 'secure' The pre-SessionManager code did this, and the change in combination with the API not honoring forceHTTPS led to T124252. Bug: T124252 Change-Id: I49ae17ca7c2cf606f2db21f7ce200a06357b2a9b --- M includes/session/CentralAuthSessionProvider.php 1 file changed, 4 insertions(+), 1 deletion(-) Approvals: BryanDavis: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/session/CentralAuthSessionProvider.php b/includes/session/CentralAuthSessionProvider.php index d78beb2..1350265 100644 --- a/includes/session/CentralAuthSessionProvider.php +++ b/includes/session/CentralAuthSessionProvider.php @@ -285,7 +285,10 @@ $options = $this->centralCookieOptions; if ( $session->shouldForceHTTPS() || $session->getUser()->requiresHTTPS() ) { - $options['secure'] = true; + // Don't set the secure flag if the request came in + // over "http", for backwards compat. + // @todo Break that backwards compat properly. + $options['secure'] = $this->config->get( 'CookieSecure' ); } // We only save the user into the central session if it's not a -- To view, visit https://gerrit.wikimedia.org/r/266285 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I49ae17ca7c2cf606f2db21f7ce200a06357b2a9b Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: master Gerrit-Owner: Anomie <bjor...@wikimedia.org> Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org> Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits