From 9a7c99fc4bbf97c7d08e6bc98192280f96470e44 Mon Sep 17 00:00:00 2001 From: Florian Thoma Date: Fri, 6 Aug 2021 10:55:05 +1000 Subject: [PATCH] FIX Take current request protocol into account when deleting session cookie --- src/Control/Session.php | 10 +++++++--- .../SessionAuthenticationHandler.php | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/Control/Session.php b/src/Control/Session.php index 1aeb951ee..4adf1a4e0 100644 --- a/src/Control/Session.php +++ b/src/Control/Session.php @@ -245,7 +245,7 @@ class Session */ public function restart(HTTPRequest $request) { - $this->destroy(); + $this->destroy(true, $request); $this->start($request); } @@ -358,14 +358,18 @@ class Session * Destroy this session * * @param bool $removeCookie + * @param HTTPRequest $request The request for which to destroy a session */ - public function destroy($removeCookie = true) + public function destroy($removeCookie = true, HTTPRequest $request = null) { if (session_id()) { if ($removeCookie) { + if (!$request) { + $request = Controller::curr()->getRequest(); + } $path = $this->config()->get('cookie_path') ?: Director::baseURL(); $domain = $this->config()->get('cookie_domain'); - $secure = $this->config()->get('cookie_secure'); + $secure = Director::is_https($request) && $this->config()->get('cookie_secure'); Cookie::force_expiry(session_name(), $path, $domain, $secure, true); } session_destroy(); diff --git a/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php b/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php index 3b12059e6..1ce1eaca6 100644 --- a/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php +++ b/src/Security/MemberAuthenticator/SessionAuthenticationHandler.php @@ -112,6 +112,6 @@ class SessionAuthenticationHandler implements AuthenticationHandler public function logOut(HTTPRequest $request = null) { $request = $request ?: Controller::curr()->getRequest(); - $request->getSession()->destroy(); + $request->getSession()->destroy(true, $request); } }