From ad27ee667e5eaa2ac71042d447a80db8325eda86 Mon Sep 17 00:00:00 2001
From: Florent Bruneau <florent.bruneau@polytechnique.org>
Date: Sun, 21 Dec 2008 23:16:30 +0100
Subject: [PATCH] Add support for 'secure' cookies (https only, not accessible
 via javascript).

Keep in mind this is just a hint given to the browser.

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>
---
 classes/env.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/classes/env.php b/classes/env.php
index 5b6a2b9..e41a669 100644
--- a/classes/env.php
+++ b/classes/env.php
@@ -217,11 +217,14 @@ class Cookie
         unset($_COOKIE[$key]);
     }
 
-    public static function set($key, $value, $days) {
+    public static function set($key, $value, $days, $secure = false) {
         global $globals;
         $key = $globals->cookie_ns . $key;
-        setcookie($key, $value, time() + 86400 * $days, $globals->cookie_path);
-        $_COOKIE[$key] = $value;
+        if (!$secure || @$_SERVER['HTTPS']) {
+            setcookie($key, $value, time() + 86400 * $days, $globals->cookie_path, '',
+                      $secure, $secure);
+            $_COOKIE[$key] = $value;
+        }
     }
 
     public static function v($key, $default = null)
-- 
2.1.4