Use secure session cookies in HTTPS by default (`system.session.secur…

…e_https: true`)

CHANGELOG.md

@@ -4,6 +4,7 @@
 1. [](#new)
     * Made `Grav::redirect()` to accept `Route` class
     * Added `translated()` method to `PageTranslateInterface`
+    * Use secure session cookies in HTTPS by default (`system.session.secure_https: true`)
 2. [](#improved)
    * Upgraded vendor libs for PHP 8.1 compatibility
    * Upgraded to **composer v2.1.14** for PHP 8.1 compatibility

system/config/system.yaml

@@ -182,6 +182,7 @@ session:
   name: grav-site                                # Name prefix of the session cookie. Use alphanumeric, dashes or underscores only. Do not use dots in the session name
   uniqueness: path                               # Should sessions be `path` based or `security.salt` based
   secure: false                                  # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS
+  secure_https: true                             # Set session secure on HTTPS but not on HTTP. Has no effect if you have `session.secure: true`. Set to false if your site jumps between HTTP and HTTPS.
   httponly: true                                 # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.
   samesite: Lax                                  # Set session SameSite. Possible values are Lax, Strict and None. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
   split: true                                    # Sessions should be independent between site and plugins (such as admin)

system/src/Grav/Common/Service/SessionServiceProvider.php

@@ -40,7 +40,8 @@ public function register(Container $container)
 
             // Get session options.
             $enabled = (bool)$config->get('system.session.enabled', false);
-            $cookie_secure = (bool)$config->get('system.session.secure', false);
+            $cookie_secure = $config->get('system.session.secure', false)
+                || ($config->get('system.session.secure_https', true) && $uri->scheme(true) === 'https');
             $cookie_httponly = (bool)$config->get('system.session.httponly', true);
             $cookie_lifetime = (int)$config->get('system.session.timeout', 1800);
             $cookie_domain = $config->get('system.session.domain');