From 785e168f5ed15908b1d15dc2071eedc1bc16e30e Mon Sep 17 00:00:00 2001 From: Robert K Date: Wed, 3 Apr 2013 12:13:21 -0300 Subject: [PATCH] Check application.ssl when setting a secure cookie Most SLL-related code in Laravel checks to see if `application.ssl` is true before doing an action requiring it. `Cookie::put()` is the only exception that I've found, to date, that doesn't test for SSL. This checks to see that the SSL is enabled when attempting to set a secure cookie. To verify, set `application.ssl` to false (without this patch) then run: Cookie::put('foo', 'bar', 0, '/', null, true); You will get an exception because of line 90 in `cookie.php`: if ($secure and ! Request::secure()) { throw new \Exception("Attempting to set secure cookie over HTTP."); } With this patch you will not get this error unless both `application.ssl` is true, and the cookie `$secure` flag is set. --- laravel/cookie.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/laravel/cookie.php b/laravel/cookie.php index 503732f1..775ff125 100644 --- a/laravel/cookie.php +++ b/laravel/cookie.php @@ -82,6 +82,10 @@ public static function put($name, $value, $expiration = 0, $path = '/', $domain $value = static::hash($value).'+'.$value; + // If the developer has explicitly disabled SLL, then we shouldn't force + // this cookie over SSL. + $secure = $secure && Config::get('application.ssl'); + // If the secure option is set to true, yet the request is not over HTTPS // we'll throw an exception to let the developer know that they are // attempting to send a secure cookie over the insecure HTTP.