fixed secure cookie flag not set on auth cookie when using HTTPS

Erudika · Jun 21, 2021 · 1fdfee9 · 1fdfee9
1 parent 7fbacbf
commit 1fdfee9
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/main/java/com/erudika/scoold/utils/HttpUtils.java b/src/main/java/com/erudika/scoold/utils/HttpUtils.java
@@ -19,6 +19,7 @@
 
 import com.erudika.para.utils.Config;
 import com.erudika.para.utils.Utils;
+import com.erudika.scoold.ScooldServer;
 import static com.erudika.scoold.ScooldServer.AUTH_COOKIE;
 import static com.erudika.scoold.ScooldServer.CONTEXT_PATH;
 import static com.erudika.scoold.ScooldServer.HOMEPAGE;
@@ -165,7 +166,7 @@ public static void setRawCookie(String name, String value, HttpServletRequest re
 		cookie.setHttpOnly(httpOnly);
 		cookie.setMaxAge(maxAge < 0 ? Config.SESSION_TIMEOUT_SEC : maxAge);
 		cookie.setPath(CONTEXT_PATH.isEmpty() ? "/" : CONTEXT_PATH);
-		cookie.setSecure(req.isSecure());
+		cookie.setSecure(StringUtils.startsWithIgnoreCase(ScooldServer.getServerURL(), "https://") || req.isSecure());
 		res.addCookie(cookie);
 	}
 
@@ -266,6 +267,9 @@ public static void setAuthCookie(String jwt, HttpServletRequest req, HttpServlet
 		sb.append("Expires=").append(expires).append(";");
 		sb.append("Max-Age=").append(maxAge).append(";");
 		sb.append("HttpOnly;");
+		if (StringUtils.startsWithIgnoreCase(ScooldServer.getServerURL(), "https://") || req.isSecure()) {
+			sb.append("Secure;");
+		}
 		sb.append("SameSite=Lax");
 		res.addHeader(javax.ws.rs.core.HttpHeaders.SET_COOKIE, sb.toString());
 	}