[feature] Set secure cookies by default is connexion is secure

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Change Log
 Only partial changelog, [commit history](https://framagit.org/Shnoulle/LimeSurvey/commits/2.06_SondagesPro) show all changelog.
 
+## Unreleased
+
+### Feature
+- Set secure cookies by default is connexion is secure
+
 ## [1.1.0] - 2016-11-10
 
 ### Fix

application/config/internal.php

@@ -47,13 +47,15 @@
         ),
         'request' => array(
             'class'=>'LSHttpRequest',
+            'enableCsrfValidation'=>true,    // CSRF protection
+            'enableCookieValidation'=>false,   // Enable to activate cookie protection
+            'csrfCookie' => array(
+                'secure' => (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off'), // @see session
+            ),
             'noCsrfValidationRoutes'=>array(
                 'remotecontrol',
                 'plugins/unsecure',
             ),
-
-            'enableCsrfValidation'=>true,    // CSRF protection
-            'enableCookieValidation'=>false   // Enable to activate cookie protection
         ),
         'user' => array(
             'class' => 'LSWebUser',
@@ -87,6 +89,8 @@
         'session' => array(
             'cookieParams' => array(
                 'httponly' => true,
+                // Set secure if needed , some dumb server need || $_SERVER['SERVER_PORT'] == 443 . See @link http://stackoverflow.com/a/2886224/2239406
+                'secure'=>(!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off'),
             ),
         ),
         'messages' => array(