Cookies shall only be set "secure" when FlatPress is called via HTTPS

flatpressblog · Apr 20, 2024 · ba890f3 · ba890f3
1 parent ddfef97
commit ba890f3
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/defaults.php b/defaults.php
@@ -130,7 +130,7 @@
 
 // supports Apache and IIS
 $serverport = '';
-if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
+if (is_https()) {
 	// HTTPS enabled
 	$serverport = "https://";
 	ini_set('session.cookie_httponly', 1);
@@ -178,3 +178,14 @@
 #function _dummy() {}
 #set_error_handler('_dummy');
 
+
+
+
+/**
+ * Checks if FlatPress is called via HTTPS.
+ *
+ * @return boolean <code>true</code> when FlatPress is called via HTTPS; <code>false</code> otherwise.
+ */
+function is_https() {
+	return (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on'));
+}
diff --git a/fp-includes/core/core.cookie.php b/fp-includes/core/core.cookie.php
@@ -3,6 +3,7 @@
 function cookie_setup() {
 	global $fp_config;
 
+
 	// md5(BLOG_BASEURL);
 
 	if (!defined('COOKIEHASH'))
@@ -22,7 +23,7 @@ function cookie_setup() {
 	if (!defined('COOKIE_DOMAIN'))
 		define('COOKIE_DOMAIN', false);
 	if (!defined('COOKIE_SECURE'))
-		define('COOKIE_SECURE', true);
+		define('COOKIE_SECURE', is_https());
 	if (!defined('COOKIE_HTTPONLY'))
 		define('COOKIE_HTTPONLY', true);
 }