setFlashCookieObject does not use system.session.secure to avoid sending cookie over unsecured connection.
Maybe system.session.httponly is also relevant.
I think we need to breakout the cookie logic to it's own class. Currently it's only in SessionServiceProvider but now we are using cookies in more places. Going to move to 1.7.
Type: Bug Topic: Security Version: 1.5.6
setFlashCookieObject
does not usesystem.session.secure
to avoid sending cookie over unsecured connection. Maybesystem.session.httponly
is also relevant.