[HttpKernel] cookie_secure: auto does not work correctly

[fritzmg]

Symfony version(s) affected

4.4.35

Description

The session problems in 5.4.1 prompted me to investigate another issue we noticed with sessions over http:// connections in Symfony 4.4. It seems framework.session.cookie_secure: auto does not work correctly in Symfony 4.4 either. If a session is created in Symfony 4.4, the following response header will be set, even over http:// connections:

Set-Cookie: PHPSESSID=…; path=/; secure; httponly

As you can see the secure flag was set, even though the session was started via an http:// connection and framework.session.cookie_secure is set to auto. For comparison, the response header in Symfony 5.4.0 and soon to be 5.4.2 looks like this:

Set-Cookie: PHPSESSID=…; path=/; httponly

The secure flag is not present, as expected.

How to reproduce

1. Use symfony/http-kernel: 4.4.35 in your project.
2. Create a controller that starts the session.
3. Access the controller via http:// and check the response headers.

Possible Solution

No response

Additional Context

The session still works as far as I can tell, at least problems will not manifest themselves immediately. However, we experienced firewall problems if there already is an active session over http:// with the secure flag set, plus an active login on that session, and a new login attempt is made with the same session and the same scheme (http://), but a different firewall.

[fritzmg]

Never mind, I tested wrong. The secure flag is in fact not set.