Use secure session cookies in HTTPS by default (system.session.secure_https: true)

2026-05-07 16:45:48 +02:00 · 2021-12-08 17:38:16 +02:00
parent 3bfbb1a4ef
commit 90f5ff7c74
3 changed files with 4 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 1. [](#new)
    * Made `Grav::redirect()` to accept `Route` class
    * Added `translated()` method to `PageTranslateInterface`
+    * Use secure session cookies in HTTPS by default (`system.session.secure_https: true`)
 2. [](#improved)
   * Upgraded vendor libs for PHP 8.1 compatibility
   * Upgraded to **composer v2.1.14** for PHP 8.1 compatibility
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@@ -182,6 +182,7 @@ session:
  name: grav-site                                # Name prefix of the session cookie. Use alphanumeric, dashes or underscores only. Do not use dots in the session name
  uniqueness: path                               # Should sessions be `path` based or `security.salt` based
  secure: false                                  # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS
+  secure_https: true                             # Set session secure on HTTPS but not on HTTP. Has no effect if you have `session.secure: true`. Set to false if your site jumps between HTTP and HTTPS.
  httponly: true                                 # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.
  samesite: Lax                                  # Set session SameSite. Possible values are Lax, Strict and None. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
  split: true                                    # Sessions should be independent between site and plugins (such as admin)
--- a/system/src/Grav/Common/Service/SessionServiceProvider.php
+++ b/system/src/Grav/Common/Service/SessionServiceProvider.php
@@ -40,7 +40,8 @@ class SessionServiceProvider implements ServiceProviderInterface

            // Get session options.
            $enabled = (bool)$config->get('system.session.enabled', false);
-            $cookie_secure = (bool)$config->get('system.session.secure', false);
+            $cookie_secure = $config->get('system.session.secure', false)
+                || ($config->get('system.session.secure_https', true) && $uri->scheme(true) === 'https');
            $cookie_httponly = (bool)$config->get('system.session.httponly', true);
            $cookie_lifetime = (int)$config->get('system.session.timeout', 1800);
            $cookie_domain = $config->get('system.session.domain');