[HttpFoundation] make cookies auto-secure when passing them $secure = null

nicolas-grekas · nicolas-grekas · commit 1535093dd685 · 2018-09-11T22:20:45.000+02:00
diff --git a/src/Symfony/Component/HttpFoundation/Cookie.php b/src/Symfony/Component/HttpFoundation/Cookie.php
@@ -27,6 +27,7 @@ class Cookie
     protected $httpOnly;
     private $raw;
     private $sameSite;
+    private $secureDefault = false;
 
     const SAMESITE_LAX = 'lax';
     const SAMESITE_STRICT = 'strict';
@@ -72,15 +73,19 @@ public static function fromString($cookie, $decode = false)
      * @param int|string|\DateTimeInterface $expire   The time the cookie expires
      * @param string                        $path     The path on the server in which the cookie will be available on
      * @param string|null                   $domain   The domain that the cookie is available to
-     * @param bool                          $secure   Whether the cookie should only be transmitted over a secure HTTPS connection from the client
+     * @param bool|null                     $secure   Whether the cookie should only be transmitted over a secure HTTPS connection from the client or null to set it later using {@see setSecureDefault()}
      * @param bool                          $httpOnly Whether the cookie will be made accessible only through the HTTP protocol
      * @param bool                          $raw      Whether the cookie value should be sent with no url encoding
      * @param string|null                   $sameSite Whether the cookie will be available for cross-site requests
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(string $name, string $value = null, $expire = 0, ?string $path = '/', string $domain = null, bool $secure = false, bool $httpOnly = true, bool $raw = false, string $sameSite = null)
+    public function __construct(string $name, string $value = null, $expire = 0, ?string $path = '/', string $domain = null, ?bool $secure = false, bool $httpOnly = true, bool $raw = false, string $sameSite = null)
     {
+        if (6 > \func_num_args()) {
+            @trigger_error(sprintf('The default value of the 6th "$secure" argument of "%s"\'s constructor will change from "false" to "null" in Symfony 5.0, you should define its value explicitly when calling it to prevent any unwanted behavior change. Setting it to "null" will auto-enable the "secure" attribute when an HTTPS request  comes in.', __METHOD__), E_USER_DEPRECATED);
+        }
+
         // from PHP source code
         if (preg_match("/[=,; \t\r\n\013\014]/", $name)) {
             throw new \InvalidArgumentException(sprintf('The cookie name "%s" contains invalid characters.', $name));
@@ -232,7 +237,7 @@ public function getPath()
      */
     public function isSecure()
     {
-        return $this->secure;
+        return $this->secure ?? $this->secureDefault;
     }
 
     /**
@@ -274,4 +279,12 @@ public function getSameSite()
     {
         return $this->sameSite;
     }
+
+    /**
+     * @param bool $default The default value of the "secure" flag when it is set to null
+     */
+    public function setSecureDefault(bool $default): void
+    {
+        $this->secureDefault = $default;
+    }
 }
diff --git a/src/Symfony/Component/HttpFoundation/Response.php b/src/Symfony/Component/HttpFoundation/Response.php
@@ -313,6 +313,12 @@ public function prepare(Request $request)
 
         $this->ensureIEOverSSLCompatibility($request);
 
+        if ($request->isSecure()) {
+            foreach ($headers->getCookies() as $cookie) {
+                $cookie->setSecureDefault(true);
+            }
+        }
+
         return $this;
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/ResponseHeaderBag.php b/src/Symfony/Component/HttpFoundation/ResponseHeaderBag.php
@@ -247,6 +247,10 @@ public function getCookies($format = self::COOKIES_FLAT)
      */
     public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true)
     {
+        if (4 > \func_num_args()) {
+            @trigger_error(sprintf('The default value of the 4th "$secure" argument of method "%s()" will change from "false" to "null" in Symfony 5.0, you should define its value explicitly when calling the method to prevent any unwanted behavior change. Setting it to "null" will auto-enable the "secure" attribute when an HTTPS request comes in.', __METHOD__), E_USER_DEPRECATED);
+        }
+
         $this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly));
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/CookieTest.php b/src/Symfony/Component/HttpFoundation/Tests/CookieTest.php
@@ -45,85 +45,85 @@ public function invalidNames()
      */
     public function testInstantiationThrowsExceptionIfCookieNameContainsInvalidCharacters($name)
     {
-        new Cookie($name);
+        new Cookie($name, null, 0, '/', null, false);
     }
 
     /**
      * @expectedException \InvalidArgumentException
      */
     public function testInvalidExpiration()
     {
-        new Cookie('MyCookie', 'foo', 'bar');
+        new Cookie('MyCookie', 'foo', 'bar', '/', null, false);
     }
 
     public function testNegativeExpirationIsNotPossible()
     {
-        $cookie = new Cookie('foo', 'bar', -100);
+        $cookie = new Cookie('foo', 'bar', -100, '/', null, false);
 
         $this->assertSame(0, $cookie->getExpiresTime());
     }
 
     public function testGetValue()
     {
         $value = 'MyValue';
-        $cookie = new Cookie('MyCookie', $value);
+        $cookie = new Cookie('MyCookie', $value, '/', null, false);
 
         $this->assertSame($value, $cookie->getValue(), '->getValue() returns the proper value');
     }
 
     public function testGetPath()
     {
-        $cookie = new Cookie('foo', 'bar');
+        $cookie = new Cookie('foo', 'bar', 0, '/', null, false);
 
         $this->assertSame('/', $cookie->getPath(), '->getPath() returns / as the default path');
     }
 
     public function testGetExpiresTime()
     {
-        $cookie = new Cookie('foo', 'bar');
+        $cookie = new Cookie('foo', 'bar', 0, '/', null, false);
 
         $this->assertEquals(0, $cookie->getExpiresTime(), '->getExpiresTime() returns the default expire date');
 
-        $cookie = new Cookie('foo', 'bar', $expire = time() + 3600);
+        $cookie = new Cookie('foo', 'bar', $expire = time() + 3600, '/', null, false);
 
         $this->assertEquals($expire, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');
     }
 
     public function testGetExpiresTimeIsCastToInt()
     {
-        $cookie = new Cookie('foo', 'bar', 3600.9);
+        $cookie = new Cookie('foo', 'bar', 3600.9, '/', null, false);
 
         $this->assertSame(3600, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date as an integer');
     }
 
     public function testConstructorWithDateTime()
     {
         $expire = new \DateTime();
-        $cookie = new Cookie('foo', 'bar', $expire);
+        $cookie = new Cookie('foo', 'bar', $expire, '/', null, false);
 
         $this->assertEquals($expire->format('U'), $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');
     }
 
     public function testConstructorWithDateTimeImmutable()
     {
         $expire = new \DateTimeImmutable();
-        $cookie = new Cookie('foo', 'bar', $expire);
+        $cookie = new Cookie('foo', 'bar', $expire, '/', null, false);
 
         $this->assertEquals($expire->format('U'), $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');
     }
 
     public function testGetExpiresTimeWithStringValue()
     {
         $value = '+1 day';
-        $cookie = new Cookie('foo', 'bar', $value);
+        $cookie = new Cookie('foo', 'bar', $value, '/', null, false);
         $expire = strtotime($value);
 
         $this->assertEquals($expire, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date', 1);
     }
 
     public function testGetDomain()
     {
-        $cookie = new Cookie('foo', 'bar', 0, '/', '.myfoodomain.com');
+        $cookie = new Cookie('foo', 'bar', 0, '/', '.myfoodomain.com', false);
 
         $this->assertEquals('.myfoodomain.com', $cookie->getDomain(), '->getDomain() returns the domain name on which the cookie is valid');
     }
@@ -144,26 +144,26 @@ public function testIsHttpOnly()
 
     public function testCookieIsNotCleared()
     {
-        $cookie = new Cookie('foo', 'bar', time() + 3600 * 24);
+        $cookie = new Cookie('foo', 'bar', time() + 3600 * 24, '/', null, false);
 
         $this->assertFalse($cookie->isCleared(), '->isCleared() returns false if the cookie did not expire yet');
     }
 
     public function testCookieIsCleared()
     {
-        $cookie = new Cookie('foo', 'bar', time() - 20);
+        $cookie = new Cookie('foo', 'bar', time() - 20, '/', null, false);
 
         $this->assertTrue($cookie->isCleared(), '->isCleared() returns true if the cookie has expired');
 
-        $cookie = new Cookie('foo', 'bar');
+        $cookie = new Cookie('foo', 'bar', 0, '/', null, false);
 
         $this->assertFalse($cookie->isCleared());
 
-        $cookie = new Cookie('foo', 'bar', 0);
+        $cookie = new Cookie('foo', 'bar', 0, '/', null, false);
 
         $this->assertFalse($cookie->isCleared());
 
-        $cookie = new Cookie('foo', 'bar', -1);
+        $cookie = new Cookie('foo', 'bar', -1, '/', null, false);
 
         $this->assertFalse($cookie->isCleared());
     }
@@ -176,10 +176,10 @@ public function testToString()
         $cookie = new Cookie('foo', 'bar with white spaces', strtotime('Fri, 20-May-2011 15:25:52 GMT'), '/', '.myfoodomain.com', true);
         $this->assertEquals('foo=bar%20with%20white%20spaces; expires=Fri, 20-May-2011 15:25:52 GMT; Max-Age=0; path=/; domain=.myfoodomain.com; secure; httponly', (string) $cookie, '->__toString() encodes the value of the cookie according to RFC 3986 (white space = %20)');
 
-        $cookie = new Cookie('foo', null, 1, '/admin/', '.myfoodomain.com');
+        $cookie = new Cookie('foo', null, 1, '/admin/', '.myfoodomain.com', false);
         $this->assertEquals('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', $expire = time() - 31536001).'; Max-Age=0; path=/admin/; domain=.myfoodomain.com; httponly', (string) $cookie, '->__toString() returns string representation of a cleared cookie if value is NULL');
 
-        $cookie = new Cookie('foo', 'bar', 0, '/', '');
+        $cookie = new Cookie('foo', 'bar', 0, '/', '', false);
         $this->assertEquals('foo=bar; path=/; httponly', (string) $cookie);
     }
 
@@ -196,13 +196,13 @@ public function testRawCookie()
 
     public function testGetMaxAge()
     {
-        $cookie = new Cookie('foo', 'bar');
+        $cookie = new Cookie('foo', 'bar', 0, '/', null, false);
         $this->assertEquals(0, $cookie->getMaxAge());
 
-        $cookie = new Cookie('foo', 'bar', $expire = time() + 100);
+        $cookie = new Cookie('foo', 'bar', $expire = time() + 100, '/', null, false);
         $this->assertEquals($expire - time(), $cookie->getMaxAge());
 
-        $cookie = new Cookie('foo', 'bar', $expire = time() - 100);
+        $cookie = new Cookie('foo', 'bar', $expire = time() - 100, '/', null, false);
         $this->assertEquals(0, $cookie->getMaxAge());
     }
 
diff --git a/src/Symfony/Component/HttpFoundation/Tests/Fixtures/response-functional/invalid_cookie_name.php b/src/Symfony/Component/HttpFoundation/Tests/Fixtures/response-functional/invalid_cookie_name.php
@@ -5,7 +5,7 @@
 $r = require __DIR__.'/common.inc';
 
 try {
-    $r->headers->setCookie(new Cookie('Hello + world', 'hodor'));
+    $r->headers->setCookie(new Cookie('Hello + world', 'hodor', 0, '/', null, false));
 } catch (\InvalidArgumentException $e) {
     echo $e->getMessage();
 }
diff --git a/src/Symfony/Component/HttpFoundation/Tests/ResponseHeaderBagTest.php b/src/Symfony/Component/HttpFoundation/Tests/ResponseHeaderBagTest.php
@@ -110,11 +110,11 @@ public function testCacheControlClone()
     public function testToStringIncludesCookieHeaders()
     {
         $bag = new ResponseHeaderBag(array());
-        $bag->setCookie(new Cookie('foo', 'bar'));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/', null, false));
 
         $this->assertSetCookieHeader('foo=bar; path=/; httponly', $bag);
 
-        $bag->clearCookie('foo');
+        $bag->clearCookie('foo', '/', null, false);
 
         $this->assertSetCookieHeader('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', time() - 31536001).'; Max-Age=0; path=/; httponly', $bag);
     }
@@ -154,10 +154,10 @@ public function testReplaceWithRemove()
     public function testCookiesWithSameNames()
     {
         $bag = new ResponseHeaderBag();
-        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/foo', 'foo.bar'));
-        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/bar', 'foo.bar'));
-        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/bar', 'bar.foo'));
-        $bag->setCookie(new Cookie('foo', 'bar'));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/foo', 'foo.bar', false));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/bar', 'foo.bar', false));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/bar', 'bar.foo', false));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/', null, false));
 
         $this->assertCount(4, $bag->getCookies());
         $this->assertEquals('foo=bar; path=/path/foo; domain=foo.bar; httponly', $bag->get('set-cookie'));
@@ -186,8 +186,8 @@ public function testRemoveCookie()
         $bag = new ResponseHeaderBag();
         $this->assertFalse($bag->has('set-cookie'));
 
-        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/foo', 'foo.bar'));
-        $bag->setCookie(new Cookie('bar', 'foo', 0, '/path/bar', 'foo.bar'));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/path/foo', 'foo.bar', false));
+        $bag->setCookie(new Cookie('bar', 'foo', 0, '/path/bar', 'foo.bar', false));
         $this->assertTrue($bag->has('set-cookie'));
 
         $cookies = $bag->getCookies(ResponseHeaderBag::COOKIES_ARRAY);
@@ -209,8 +209,8 @@ public function testRemoveCookie()
     public function testRemoveCookieWithNullRemove()
     {
         $bag = new ResponseHeaderBag();
-        $bag->setCookie(new Cookie('foo', 'bar', 0));
-        $bag->setCookie(new Cookie('bar', 'foo', 0));
+        $bag->setCookie(new Cookie('foo', 'bar', 0, '/', null, false));
+        $bag->setCookie(new Cookie('bar', 'foo', 0, '/', null, false));
 
         $cookies = $bag->getCookies(ResponseHeaderBag::COOKIES_ARRAY);
         $this->assertArrayHasKey('/', $cookies['']);
diff --git a/src/Symfony/Component/HttpKernel/Tests/DataCollector/RequestDataCollectorTest.php b/src/Symfony/Component/HttpKernel/Tests/DataCollector/RequestDataCollectorTest.php
@@ -275,8 +275,8 @@ protected function createResponse()
         $response->headers->set('Content-Type', 'application/json');
         $response->headers->set('X-Foo-Bar', null);
         $response->headers->setCookie(new Cookie('foo', 'bar', 1, '/foo', 'localhost', true, true));
-        $response->headers->setCookie(new Cookie('bar', 'foo', new \DateTime('@946684800')));
-        $response->headers->setCookie(new Cookie('bazz', 'foo', '2000-12-12'));
+        $response->headers->setCookie(new Cookie('bar', 'foo', new \DateTime('@946684800'), '/', null, false));
+        $response->headers->setCookie(new Cookie('bazz', 'foo', '2000-12-12', '/', null, false));
 
         return $response;
     }
diff --git a/src/Symfony/Component/Security/Http/Logout/CookieClearingLogoutHandler.php b/src/Symfony/Component/Security/Http/Logout/CookieClearingLogoutHandler.php
@@ -38,7 +38,7 @@ public function __construct(array $cookies)
     public function logout(Request $request, Response $response, TokenInterface $token)
     {
         foreach ($this->cookies as $cookieName => $cookieData) {
-            $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain']);
+            $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain'], false);
         }
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/ResponseListenerTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/ResponseListenerTest.php
@@ -24,7 +24,7 @@ class ResponseListenerTest extends TestCase
 {
     public function testRememberMeCookieIsSentWithResponse()
     {
-        $cookie = new Cookie('rememberme');
+        $cookie = new Cookie('rememberme', null, 0, '/', null, false);
 
         $request = $this->getRequest(array(
             RememberMeServicesInterface::COOKIE_ATTR_NAME => $cookie,
@@ -39,7 +39,7 @@ public function testRememberMeCookieIsSentWithResponse()
 
     public function testRememberMeCookieIsNotSendWithResponseForSubRequests()
     {
-        $cookie = new Cookie('rememberme');
+        $cookie = new Cookie('rememberme', null, 0, '/', null, false);
 
         $request = $this->getRequest(array(
             RememberMeServicesInterface::COOKIE_ATTR_NAME => $cookie,

Original file line number	Diff line number	Diff line change
`@@ -247,6 +247,10 @@ public function getCookies($format = self::COOKIES_FLAT)`
`247`	`247`	`*/`
`248`	`248`	`public function clearCookie($name, $path = '/', $domain = null, $secure = false, $httpOnly = true)`
`249`	`249`	`{`
	`250`	`+ if (4 > \func_num_args()) {`
	`251`	`+ @trigger_error(sprintf('The default value of the 4th "$secure" argument of method "%s()" will change from "false" to "null" in Symfony 5.0, you should define its value explicitly when calling the method to prevent any unwanted behavior change. Setting it to "null" will auto-enable the "secure" attribute when an HTTPS request comes in.', __METHOD__), E_USER_DEPRECATED);`
	`252`	`+ }`
	`253`	`+`
`250`	`254`	`$this->setCookie(new Cookie($name, null, 1, $path, $domain, $secure, $httpOnly));`
`251`	`255`	`}`
`252`	`256`
Original file line number	Diff line number	Diff line change
`@@ -45,85 +45,85 @@ public function invalidNames()`
`45`	`45`	`*/`
`46`	`46`	`public function testInstantiationThrowsExceptionIfCookieNameContainsInvalidCharacters($name)`
`47`	`47`	`{`
`48`		`- new Cookie($name);`
	`48`	`+ new Cookie($name, null, 0, '/', null, false);`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`/**`
`52`	`52`	`* @expectedException \InvalidArgumentException`
`53`	`53`	`*/`
`54`	`54`	`public function testInvalidExpiration()`
`55`	`55`	`{`
`56`		`- new Cookie('MyCookie', 'foo', 'bar');`
	`56`	`+ new Cookie('MyCookie', 'foo', 'bar', '/', null, false);`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`public function testNegativeExpirationIsNotPossible()`
`60`	`60`	`{`
`61`		`- $cookie = new Cookie('foo', 'bar', -100);`
	`61`	`+ $cookie = new Cookie('foo', 'bar', -100, '/', null, false);`
`62`	`62`
`63`	`63`	`$this->assertSame(0, $cookie->getExpiresTime());`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`public function testGetValue()`
`67`	`67`	`{`
`68`	`68`	`$value = 'MyValue';`
`69`		`- $cookie = new Cookie('MyCookie', $value);`
	`69`	`+ $cookie = new Cookie('MyCookie', $value, '/', null, false);`
`70`	`70`
`71`	`71`	`$this->assertSame($value, $cookie->getValue(), '->getValue() returns the proper value');`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`public function testGetPath()`
`75`	`75`	`{`
`76`		`- $cookie = new Cookie('foo', 'bar');`
	`76`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', null, false);`
`77`	`77`
`78`	`78`	`$this->assertSame('/', $cookie->getPath(), '->getPath() returns / as the default path');`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`public function testGetExpiresTime()`
`82`	`82`	`{`
`83`		`- $cookie = new Cookie('foo', 'bar');`
	`83`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', null, false);`
`84`	`84`
`85`	`85`	`$this->assertEquals(0, $cookie->getExpiresTime(), '->getExpiresTime() returns the default expire date');`
`86`	`86`
`87`		`- $cookie = new Cookie('foo', 'bar', $expire = time() + 3600);`
	`87`	`+ $cookie = new Cookie('foo', 'bar', $expire = time() + 3600, '/', null, false);`
`88`	`88`
`89`	`89`	`$this->assertEquals($expire, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`public function testGetExpiresTimeIsCastToInt()`
`93`	`93`	`{`
`94`		`- $cookie = new Cookie('foo', 'bar', 3600.9);`
	`94`	`+ $cookie = new Cookie('foo', 'bar', 3600.9, '/', null, false);`
`95`	`95`
`96`	`96`	`$this->assertSame(3600, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date as an integer');`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`public function testConstructorWithDateTime()`
`100`	`100`	`{`
`101`	`101`	`$expire = new \DateTime();`
`102`		`- $cookie = new Cookie('foo', 'bar', $expire);`
	`102`	`+ $cookie = new Cookie('foo', 'bar', $expire, '/', null, false);`
`103`	`103`
`104`	`104`	`$this->assertEquals($expire->format('U'), $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`public function testConstructorWithDateTimeImmutable()`
`108`	`108`	`{`
`109`	`109`	`$expire = new \DateTimeImmutable();`
`110`		`- $cookie = new Cookie('foo', 'bar', $expire);`
	`110`	`+ $cookie = new Cookie('foo', 'bar', $expire, '/', null, false);`
`111`	`111`
`112`	`112`	`$this->assertEquals($expire->format('U'), $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date');`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`public function testGetExpiresTimeWithStringValue()`
`116`	`116`	`{`
`117`	`117`	`$value = '+1 day';`
`118`		`- $cookie = new Cookie('foo', 'bar', $value);`
	`118`	`+ $cookie = new Cookie('foo', 'bar', $value, '/', null, false);`
`119`	`119`	`$expire = strtotime($value);`
`120`	`120`
`121`	`121`	`$this->assertEquals($expire, $cookie->getExpiresTime(), '->getExpiresTime() returns the expire date', 1);`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`public function testGetDomain()`
`125`	`125`	`{`
`126`		`- $cookie = new Cookie('foo', 'bar', 0, '/', '.myfoodomain.com');`
	`126`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', '.myfoodomain.com', false);`
`127`	`127`
`128`	`128`	`$this->assertEquals('.myfoodomain.com', $cookie->getDomain(), '->getDomain() returns the domain name on which the cookie is valid');`
`129`	`129`	`}`
`@@ -144,26 +144,26 @@ public function testIsHttpOnly()`
`144`	`144`
`145`	`145`	`public function testCookieIsNotCleared()`
`146`	`146`	`{`
`147`		`- $cookie = new Cookie('foo', 'bar', time() + 3600 * 24);`
	`147`	`+ $cookie = new Cookie('foo', 'bar', time() + 3600 * 24, '/', null, false);`
`148`	`148`
`149`	`149`	`$this->assertFalse($cookie->isCleared(), '->isCleared() returns false if the cookie did not expire yet');`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`public function testCookieIsCleared()`
`153`	`153`	`{`
`154`		`- $cookie = new Cookie('foo', 'bar', time() - 20);`
	`154`	`+ $cookie = new Cookie('foo', 'bar', time() - 20, '/', null, false);`
`155`	`155`
`156`	`156`	`$this->assertTrue($cookie->isCleared(), '->isCleared() returns true if the cookie has expired');`
`157`	`157`
`158`		`- $cookie = new Cookie('foo', 'bar');`
	`158`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', null, false);`
`159`	`159`
`160`	`160`	`$this->assertFalse($cookie->isCleared());`
`161`	`161`
`162`		`- $cookie = new Cookie('foo', 'bar', 0);`
	`162`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', null, false);`
`163`	`163`
`164`	`164`	`$this->assertFalse($cookie->isCleared());`
`165`	`165`
`166`		`- $cookie = new Cookie('foo', 'bar', -1);`
	`166`	`+ $cookie = new Cookie('foo', 'bar', -1, '/', null, false);`
`167`	`167`
`168`	`168`	`$this->assertFalse($cookie->isCleared());`
`169`	`169`	`}`
`@@ -176,10 +176,10 @@ public function testToString()`
`176`	`176`	`$cookie = new Cookie('foo', 'bar with white spaces', strtotime('Fri, 20-May-2011 15:25:52 GMT'), '/', '.myfoodomain.com', true);`
`177`	`177`	`$this->assertEquals('foo=bar%20with%20white%20spaces; expires=Fri, 20-May-2011 15:25:52 GMT; Max-Age=0; path=/; domain=.myfoodomain.com; secure; httponly', (string) $cookie, '->__toString() encodes the value of the cookie according to RFC 3986 (white space = %20)');`
`178`	`178`
`179`		`- $cookie = new Cookie('foo', null, 1, '/admin/', '.myfoodomain.com');`
	`179`	`+ $cookie = new Cookie('foo', null, 1, '/admin/', '.myfoodomain.com', false);`
`180`	`180`	`$this->assertEquals('foo=deleted; expires='.gmdate('D, d-M-Y H:i:s T', $expire = time() - 31536001).'; Max-Age=0; path=/admin/; domain=.myfoodomain.com; httponly', (string) $cookie, '->__toString() returns string representation of a cleared cookie if value is NULL');`
`181`	`181`
`182`		`- $cookie = new Cookie('foo', 'bar', 0, '/', '');`
	`182`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', '', false);`
`183`	`183`	`$this->assertEquals('foo=bar; path=/; httponly', (string) $cookie);`
`184`	`184`	`}`
`185`	`185`
`@@ -196,13 +196,13 @@ public function testRawCookie()`
`196`	`196`
`197`	`197`	`public function testGetMaxAge()`
`198`	`198`	`{`
`199`		`- $cookie = new Cookie('foo', 'bar');`
	`199`	`+ $cookie = new Cookie('foo', 'bar', 0, '/', null, false);`
`200`	`200`	`$this->assertEquals(0, $cookie->getMaxAge());`
`201`	`201`
`202`		`- $cookie = new Cookie('foo', 'bar', $expire = time() + 100);`
	`202`	`+ $cookie = new Cookie('foo', 'bar', $expire = time() + 100, '/', null, false);`
`203`	`203`	`$this->assertEquals($expire - time(), $cookie->getMaxAge());`
`204`	`204`
`205`		`- $cookie = new Cookie('foo', 'bar', $expire = time() - 100);`
	`205`	`+ $cookie = new Cookie('foo', 'bar', $expire = time() - 100, '/', null, false);`
`206`	`206`	`$this->assertEquals(0, $cookie->getMaxAge());`
`207`	`207`	`}`
`208`	`208`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`$r = require __DIR__.'/common.inc';`
`6`	`6`
`7`	`7`	`try {`
`8`		`- $r->headers->setCookie(new Cookie('Hello + world', 'hodor'));`
	`8`	`+ $r->headers->setCookie(new Cookie('Hello + world', 'hodor', 0, '/', null, false));`
`9`	`9`	`} catch (\InvalidArgumentException $e) {`
`10`	`10`	`echo $e->getMessage();`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public function __construct(array $cookies)`
`38`	`38`	`public function logout(Request $request, Response $response, TokenInterface $token)`
`39`	`39`	`{`
`40`	`40`	`foreach ($this->cookies as $cookieName => $cookieData) {`
`41`		`- $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain']);`
	`41`	`+ $response->headers->clearCookie($cookieName, $cookieData['path'], $cookieData['domain'], false);`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ class ResponseListenerTest extends TestCase`
`24`	`24`	`{`
`25`	`25`	`public function testRememberMeCookieIsSentWithResponse()`
`26`	`26`	`{`
`27`		`- $cookie = new Cookie('rememberme');`
	`27`	`+ $cookie = new Cookie('rememberme', null, 0, '/', null, false);`
`28`	`28`
`29`	`29`	`$request = $this->getRequest(array(`
`30`	`30`	`RememberMeServicesInterface::COOKIE_ATTR_NAME => $cookie,`
`@@ -39,7 +39,7 @@ public function testRememberMeCookieIsSentWithResponse()`
`39`	`39`
`40`	`40`	`public function testRememberMeCookieIsNotSendWithResponseForSubRequests()`
`41`	`41`	`{`
`42`		`- $cookie = new Cookie('rememberme');`
	`42`	`+ $cookie = new Cookie('rememberme', null, 0, '/', null, false);`
`43`	`43`
`44`	`44`	`$request = $this->getRequest(array(`
`45`	`45`	`RememberMeServicesInterface::COOKIE_ATTR_NAME => $cookie,`