fix: TLS Cookie without "secure" flag

Author: thorsten

phpmyfaq/src/Bootstrap.php

@@ -123,6 +123,11 @@
 $faqConfig = new Configuration($db);
 $faqConfig->getAll();
 
+$secureCookie = 'false';
+if (isset($_SERVER['HTTPS']) && strtoupper($_SERVER['HTTPS']) === 'ON') {
+    $secureCookie = 'true';
+}
+
 //
 // We always need a valid session!
 //
@@ -131,6 +136,7 @@
 ini_set('session.use_trans_sid', '0');
 ini_set('session.cookie_samesite', 'Strict');
 ini_set('session.cookie_httponly', 'true');
+ini_set('session.cookie_secure', $secureCookie);
 ini_set('url_rewriter.tags', '');
 
 //

phpmyfaq/src/phpMyFAQ/Session.php

@@ -356,9 +356,9 @@ public function userTracking(string $action, $data = null): void
      */
     public function setCookie(string $name, $sessionId, int $timeout = 3600): bool
     {
-        $protocol = 'http';
+        $secure = false;
         if (isset($_SERVER['HTTPS']) && strtoupper($_SERVER['HTTPS']) === 'ON') {
-            $protocol = 'https';
+            $secure = true;
         }
 
         if (PHP_VERSION_ID < 70300) {
@@ -368,7 +368,7 @@ public function setCookie(string $name, $sessionId, int $timeout = 3600): bool
                 $_SERVER['REQUEST_TIME'] + $timeout,
                 dirname($_SERVER['SCRIPT_NAME']) . '; samesite=strict',
                 parse_url($this->config->getDefaultUrl(), PHP_URL_HOST),
-                'https' === $protocol, // only secure running via HTTPS
+                $secure,
                 true
             );
         } else {
@@ -380,7 +380,7 @@ public function setCookie(string $name, $sessionId, int $timeout = 3600): bool
                     'path' => dirname($_SERVER['SCRIPT_NAME']),
                     'domain' => parse_url($this->config->getDefaultUrl(), PHP_URL_HOST),
                     'samesite' => 'strict',
-                    'secure' => 'https' === $protocol, // only secure running via HTTPS
+                    'secure' => $secure,
                     'httponly' => true,
                 ]
             );