Check application.ssl when setting a secure cookie

rk · rk · commit 785e168f5ed1 · 2013-04-03T12:13:21.000-03:00
Most SLL-related code in Laravel checks to see if `application.ssl`
is true before doing an action requiring it. `Cookie::put()` is the
only exception that I've found, to date, that doesn't test for SSL.

This checks to see that the SSL is enabled when attempting to set a
secure cookie.

To verify, set `application.ssl` to false (without this patch) then
run:

	Cookie::put('foo', 'bar', 0, '/', null, true);

You will get an exception because of line 90 in `cookie.php`:

		if ($secure and ! Request::secure())
		{
			throw new \Exception("Attempting to set secure cookie over HTTP.");
		}

With this patch you will not get this error unless both `application.ssl`
is true, and the cookie `$secure` flag is set.
diff --git a/laravel/cookie.php b/laravel/cookie.php
@@ -82,6 +82,10 @@ public static function put($name, $value, $expiration = 0, $path = '/', $domain
 
 		$value = static::hash($value).'+'.$value;
 
+		// If the developer has explicitly disabled SLL, then we shouldn't force
+		// this cookie over SSL.
+		$secure = $secure && Config::get('application.ssl');
+
 		// If the secure option is set to true, yet the request is not over HTTPS
 		// we'll throw an exception to let the developer know that they are
 		// attempting to send a secure cookie over the insecure HTTP.
