add support for secure cookies

2021-07-31 12:55:56 +02:00 · 2021-07-31 12:55:56 +02:00 · ab1409e108
parent 84020830ca
commit ab1409e108
3 changed files with 23 additions and 12 deletions
--- a/app/Web/Session.php
+++ b/app/Web/Session.php
@ -28,7 +28,7 @@ class Session
                    $params['lifetime'],
                    $params['path'].'; SameSite=Strict',
                    $params['domain'],
-                    $params['secure'],
+                    isSecure(),
                    $params['httponly']
                );
            }
@ -39,6 +39,7 @@ class Session
                'cookie_httponly' => true,
                'gc_probability' => 25,
                'cookie_samesite' => 'Strict', // works only for php  >= 7.3
+                'cookie_secure' => isSecure(),
            ]);

            if (!$started) {
--- a/app/helpers.php
+++ b/app/helpers.php
@ -528,7 +528,7 @@ if (!function_exists('must_be_escaped')) {
    {
        $mimes = [
            'text/htm',
-            'image/svg'
+            'image/svg',
        ];

        foreach ($mimes as $m) {
@ -540,3 +540,13 @@ if (!function_exists('must_be_escaped')) {
        return false;
    }
 }
+
+if (!function_exists('isSecure')) {
+    /**
+     * @return bool
+     */
+    function isSecure(): bool
+    {
+        return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] === 443;
+    }
+}
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@ -10,25 +10,25 @@ use App\Web\Session;
 use App\Web\View;
 use DI\Bridge\Slim\Bridge;
 use DI\ContainerBuilder;
-use function DI\factory;
-use function DI\get;
 use Psr\Container\ContainerInterface as Container;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
+use function DI\factory;
+use function DI\get;

 if (!file_exists(CONFIG_FILE) && is_dir(BASE_DIR.'install/')) {
    header('Location: ./install/');
    exit();
-} else {
+}
+
 if (!file_exists(CONFIG_FILE) && !is_dir(BASE_DIR.'install/')) {
    exit('Cannot find the config file.');
 }
-}

 // Load the config
 $config = array_replace_recursive([
    'app_name' => 'XBackBone',
-    'base_url' => isset($_SERVER['HTTPS']) ? 'https://'.$_SERVER['HTTP_HOST'] : 'http://'.$_SERVER['HTTP_HOST'],
+    'base_url' => isSecure() ? 'https://'.$_SERVER['HTTP_HOST'] : 'http://'.$_SERVER['HTTP_HOST'],
    'debug' => false,
    'maintenance' => false,
    'db' => [