[11.x] Auto-secure cookies (#52422)

fabricecw · web-flow · commit 6ae8c9a3742c · 2024-08-08T08:30:23.000-05:00
* [11.x] Auto-secure cookies

* Add tests
diff --git a/src/Illuminate/Session/Middleware/StartSession.php b/src/Illuminate/Session/Middleware/StartSession.php
@@ -224,7 +224,7 @@ protected function addCookieToResponse(Response $response, Session $session)
                 $this->getCookieExpirationDate(),
                 $config['path'],
                 $config['domain'],
-                $config['secure'] ?? false,
+                $config['secure'],
                 $config['http_only'] ?? true,
                 false,
                 $config['same_site'] ?? null,
diff --git a/tests/Http/HttpResponseTest.php b/tests/Http/HttpResponseTest.php
@@ -90,6 +90,24 @@ public function testWithCookie()
         $this->assertSame('bar', $cookies[0]->getValue());
     }
 
+    public function testResponseCookiesInheritRequestSecureState()
+    {
+        $cookie = Cookie::create('foo', 'bar');
+
+        $response = new Response('foo');
+        $response->headers->setCookie($cookie);
+
+        $request = Request::create('/', 'GET');
+        $response->prepare($request);
+
+        $this->assertFalse($cookie->isSecure());
+
+        $request = Request::create('https://localhost/', 'GET');
+        $response->prepare($request);
+
+        $this->assertTrue($cookie->isSecure());
+    }
+
     public function testGetOriginalContent()
     {
         $arr = ['foo' => 'bar'];
diff --git a/tests/Integration/Session/CookieSessionHandlerTest.php b/tests/Integration/Session/CookieSessionHandlerTest.php
@@ -20,6 +20,25 @@ public function testCookieSessionDriverCookiesCanExpireOnClose()
         $this->assertEquals(0, $sessionValueCookie->getExpiresTime());
     }
 
+    public function testCookieSessionInheritsRequestSecureState()
+    {
+        Route::get('/', fn () => '')->middleware('web');
+
+        $unsecureResponse = $this->get('/');
+        $unsecureSessionIdCookie = $unsecureResponse->getCookie('laravel_session');
+        $unsecureSessionValueCookie = $unsecureResponse->getCookie($unsecureSessionIdCookie->getValue());
+
+        $this->assertFalse($unsecureSessionIdCookie->isSecure());
+        $this->assertFalse($unsecureSessionValueCookie->isSecure());
+
+        $secureResponse = $this->get('https://localhost/');
+        $secureSessionIdCookie = $secureResponse->getCookie('laravel_session');
+        $secureSessionValueCookie = $secureResponse->getCookie($secureSessionIdCookie->getValue());
+
+        $this->assertTrue($secureSessionIdCookie->isSecure());
+        $this->assertTrue($secureSessionValueCookie->isSecure());
+    }
+
     protected function defineEnvironment($app)
     {
         $app['config']->set('app.key', Str::random(32));
