Security: Set ch_sid cookie to 'secure' when using HTTPS - refs BT#21289

ywarnier · ywarnier · commit f18067843e65 · 2023-12-18T14:07:27.000+01:00
diff --git a/main/inc/lib/chamilo_session.class.php b/main/inc/lib/chamilo_session.class.php
@@ -86,14 +86,16 @@ public static function start($already_installed = true)
         //ini_set('session.cookie_secure', 1);
         //session ID in the cookie is only readable by the server
         ini_set('session.cookie_httponly', 1);
+        if (api_is_https()) {
+            ini_set('session.cookie_secure', 1);
+        }
 
         if (api_get_configuration_value('security_session_cookie_samesite_none')) {
             if (PHP_VERSION_ID < 70300) {
                 $sessionCookieParams = session_get_cookie_params();
                 session_set_cookie_params($sessionCookieParams['lifetime'], '/; samesite=None',
                 $sessionCookieParams['domain'], true, $sessionCookieParams['httponly']);
             } else {
-                ini_set('session.cookie_secure', 1);
                 ini_set('session.cookie_samesite', 'None');
             }
         }
