Changeset 28895 for trunk/src/wp-login.php

Timestamp:

06/29/2014 01:24:55 PM (11 years ago)

Author:

johnbillion

Message:

Conditionally set the the secure flag on the test cookie, post password cookie, settings cookies, and comment author cookies depending on whether the front end and/or admin area are served over https. Fixes #28427

File:

• trunk/src/wp-login.php (modified) (2 diffs)

trunk/src/wp-login.php

@@ -423 +423 @@
 
 //Set a cookie now to see if they are supported by the browser.
-setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
+$secure = ( is_https_url( home_url() ) && is_https_url( site_url() ) );
+setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
 if ( SITECOOKIEPATH != COOKIEPATH )
-    setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
+    setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
 
 /**
@@ -464 +465 @@
      */
     $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-    setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH );
+    $secure = is_https_url( home_url() );
+    setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
 
     wp_safe_redirect( wp_get_referer() );