env values referenced in CasManager.php?

[escull75]

There are a couple of env() referenced in CasManager.php (lines 41 and 42) that I'm curious about:

env( 'APP_DOMAIN' ),
env( 'HTTPS_ONLY_COOKIES' ),

These don't seem to be values that Laravel uses in its env (or maybe they were in an older version?), and I don't see them in a dump of all PHP environment variables with getenv().

I thought maybe they were meant to be added to the Laravel env, but if Laravel's configuration caching is used in a production deployment, these direct calls to env() would not retrieve the values (they'd need to be in a config file).

Perhaps these values should be should be referenced from the session config? config('session.domain'), config('session.secure'),

[subfission]

Yes: HTTPS_ONLY_COOKIES => True sets the cookie flag for secure (sent over TLS) cookies. config('APP_DOMAIN') sets a domain level restriction on the cookie, eg. yoursite.something.com

Together, these enhance the cookie security, if this was not configured in php.ini. https://www.php.net/manual/en/function.session-set-cookie-params.php

These are largely artifacts of Laravel 4.x-5.0, when things were less baked.

Both config('session.domain') and config('session.secure') are the better solutions. Feel free to send a pull request at tag this thread.