setFlashCookieObject does not use cookie settings

getgrav / grav

Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony

https://getgrav.org

MIT License

14.46k stars 1.4k forks source link

setFlashCookieObject does not use cookie settings #2324

Open Rotzbua opened 5 years ago

Rotzbua commented 5 years ago

Type: Bug Topic: Security Version: 1.5.6

setFlashCookieObject does not use system.session.secure to avoid sending cookie over unsecured connection. Maybe system.session.httponly is also relevant.

rhukster commented 5 years ago

I think we need to breakout the cookie logic to it's own class. Currently it's only in SessionServiceProvider but now we are using cookies in more places. Going to move to 1.7.