[MediaWiki-commits] [Gerrit] Use $wgSecureCookie to decide whether to actually mark secur... - change (mediawiki...CentralAuth)

Mon, 25 Jan 2016 12:14:25 -0800 

jenkins-bot has submitted this change and it was merged.

Change subject: Use $wgSecureCookie to decide whether to actually mark secure 
cookies as 'secure'
......................................................................


Use $wgSecureCookie to decide whether to actually mark secure cookies as 
'secure'

The pre-SessionManager code did this, and the change in combination with
the API not honoring forceHTTPS led to T124252.

Bug: T124252
Change-Id: I49ae17ca7c2cf606f2db21f7ce200a06357b2a9b
---
M includes/session/CentralAuthSessionProvider.php
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  BryanDavis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/session/CentralAuthSessionProvider.php 
b/includes/session/CentralAuthSessionProvider.php
index d78beb2..1350265 100644
--- a/includes/session/CentralAuthSessionProvider.php
+++ b/includes/session/CentralAuthSessionProvider.php
@@ -285,7 +285,10 @@
 
                        $options = $this->centralCookieOptions;
                        if ( $session->shouldForceHTTPS() || 
$session->getUser()->requiresHTTPS() ) {
-                               $options['secure'] = true;
+                               // Don't set the secure flag if the request 
came in
+                               // over "http", for backwards compat.
+                               // @todo Break that backwards compat properly.
+                               $options['secure'] = $this->config->get( 
'CookieSecure' );
                        }
 
                        // We only save the user into the central session if 
it's not a

-- 
To view, visit https://gerrit.wikimedia.org/r/266285
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I49ae17ca7c2cf606f2db21f7ce200a06357b2a9b
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org>
Gerrit-Reviewer: Legoktm <legoktm.wikipe...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to