New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue #499 #1087
Fix issue #499 #1087
Conversation
@@ -189,7 +191,7 @@ public function csrf_set_cookie() | |||
$expire = time() + $this->_csrf_expire; | |||
$secure_cookie = (bool) config_item('cookie_secure'); | |||
|
|||
if ($secure_cookie && ( ! isset($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] == 'off' OR ! $_SERVER['HTTPS'])) | |||
if ($secure_cookie && (empty($_SERVER['HTTPS']) OR $_SERVER['HTTPS'] === 'off')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's an idea to declare a function that checks if HTTPS is true or false...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess some people might find it useful, but the check performed is way too simple.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I created a pull request for a is_https() function...
The Security class constructor used to initialize all CSRF-related properties and call
_csrf_set_hash()
regardless of$config['csrf_protection']
's value.Also replaced an
! isset($var) OR ! $var
expression withempty($var)
and removed a few spaces on the way.