XSRF-TOKEN cookie can be securely set as httpOnly in config

see: laravel#16191
ametad · Nov 8, 2016 · 2241b02 · 2241b02
1 parent 1badfbd
commit 2241b02
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php b/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php
@@ -136,7 +136,7 @@ protected function addCookieToResponse($request, $response)
         $response->headers->setCookie(
             new Cookie(
                 'XSRF-TOKEN', $request->session()->token(), Carbon::now()->getTimestamp() + 60 * $config['lifetime'],
-                $config['path'], $config['domain'], $config['secure'], false
+                $config['path'], $config['domain'], $config['secure'], $config['http_only']
             )
         );