1 files changed, 36 insertions, 20 deletions
diff --git a/includes/WebResponse.php b/includes/WebResponse.php
index 193101b1..8e15d712 100644
--- a/includes/WebResponse.php
+++ b/includes/WebResponse.php
@@ -30,8 +30,8 @@ class WebResponse {
 	/**
 	 * Output a HTTP header, wrapper for PHP's
 	 * header()
-	 * @param $string String: header to output
-	 * @param $replace Bool: replace current similar header
+	 * @param string $string header to output
+	 * @param bool $replace replace current similar header
 	 * @param $http_response_code null|int Forces the HTTP response code to the specified value.
 	 */
 	public function header( $string, $replace = true, $http_response_code = null ) {
@@ -40,15 +40,20 @@ class WebResponse {
 
 	/**
 	 * Set the browser cookie
-	 * @param $name String: name of cookie
-	 * @param $value String: value to give cookie
-	 * @param $expire Int: number of seconds til cookie expires
-	 * @param $prefix String: Prefix to use, if not $wgCookiePrefix (use '' for no prefix)
-	 * @param @domain String: Cookie domain to use, if not $wgCookieDomain
+	 * @param string $name name of cookie
+	 * @param string $value value to give cookie
+	 * @param int $expire Unix timestamp (in seconds) when the cookie should expire.
+	 *        0 (the default) causes it to expire $wgCookieExpiration seconds from now.
+	 * @param string $prefix Prefix to use, if not $wgCookiePrefix (use '' for no prefix)
+	 * @param string $domain Cookie domain to use, if not $wgCookieDomain
+	 * @param $forceSecure Bool:
+	 *   true: force the cookie to be set with the secure attribute
+	 *   false: force the cookie to be set without the secure attribute
+	 *   null: use the value from $wgCookieSecure
 	 */
-	public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null ) {
+	public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null, $forceSecure = null ) {
 		global $wgCookiePath, $wgCookiePrefix, $wgCookieDomain;
-		global $wgCookieSecure,$wgCookieExpiration, $wgCookieHttpOnly;
+		global $wgCookieSecure, $wgCookieExpiration, $wgCookieHttpOnly;
 		if ( $expire == 0 ) {
 			$expire = time() + $wgCookieExpiration;
 		}
@@ -58,7 +63,18 @@ class WebResponse {
 		if( $domain === null ) {
 			$domain = $wgCookieDomain;
 		}
-		$httpOnlySafe = wfHttpOnlySafe() && $wgCookieHttpOnly;
+
+		if ( is_null( $forceSecure ) ) {
+			$secureCookie = $wgCookieSecure;
+		} else {
+			$secureCookie = $forceSecure;
+		}
+
+		// Mark the cookie as httpOnly if $wgCookieHttpOnly is true,
+		// unless the requesting user-agent is known to have trouble with
+		// httpOnly cookies.
+		$httpOnlySafe = $wgCookieHttpOnly && wfHttpOnlySafe();
+
 		wfDebugLog( 'cookie',
 			'setcookie: "' . implode( '", "',
 				array(
@@ -67,14 +83,14 @@ class WebResponse {
 					$expire,
 					$wgCookiePath,
 					$domain,
-					$wgCookieSecure,
+					$secureCookie,
 					$httpOnlySafe ) ) . '"' );
 		setcookie( $prefix . $name,
 			$value,
 			$expire,
 			$wgCookiePath,
 			$domain,
-			$wgCookieSecure,
+			$secureCookie,
 			$httpOnlySafe );
 	}
 }
@@ -89,8 +105,8 @@ class FauxResponse extends WebResponse {
 
 	/**
 	 * Stores a HTTP header
-	 * @param $string String: header to output
-	 * @param $replace Bool: replace current similar header
+	 * @param string $string header to output
+	 * @param bool $replace replace current similar header
 	 * @param $http_response_code null|int Forces the HTTP response code to the specified value.
 	 */
 	public function header( $string, $replace = true, $http_response_code = null ) {
@@ -133,14 +149,14 @@ class FauxResponse extends WebResponse {
 	/**
 	 * @todo document. It just ignore optional parameters.
 	 *
-	 * @param $name String: name of cookie
-	 * @param $value String: value to give cookie
-	 * @param $expire Int: number of seconds til cookie expires (Default: 0)
+	 * @param string $name name of cookie
+	 * @param string $value value to give cookie
+	 * @param int $expire number of seconds til cookie expires (Default: 0)
 	 * @param $prefix TODO DOCUMENT (Default: null)
 	 * @param $domain TODO DOCUMENT (Default: null)
-	 *
+	 * @param $forceSecure TODO DOCUMENT (Default: null)
 	 */
-	public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null ) {
+	public function setcookie( $name, $value, $expire = 0, $prefix = null, $domain = null, $forceSecure = null ) {
 		$this->cookies[$name] = $value;
 	}
 
@@ -148,7 +164,7 @@ class FauxResponse extends WebResponse {
 	 * @param $name string
 	 * @return string
 	 */
-	public function getcookie( $name )  {
+	public function getcookie( $name ) {
 		if ( isset( $this->cookies[$name] ) ) {
 			return $this->cookies[$name];
 		}