From 569a5be5617fdd8b784a12765ced8b1062e036d6 Mon Sep 17 00:00:00 2001
From: James Rhodes <jrhodes@redpointsoftware.com.au>
Date: Sat, 15 Feb 2014 12:20:46 +1100
Subject: [PATCH] Fix issue where accessing HTTP domain would override HTTPS
 cookie

Summary: This fixes an issue where visiting http://code.redpointsoftware.com.au/ would log you out of https://code.redpointsoftware.com.au/

Test Plan: Applied this patch to a live server and saw the issue go away.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D8244
---
 src/aphront/AphrontRequest.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
index 050c71f1d7..99e051a1ec 100644
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@@ -305,6 +305,11 @@ final class AphrontRequest {
    * @task cookie
    */
   private function getCookieDomainURI() {
+    if (PhabricatorEnv::getEnvConfig('security.require-https') &&
+        !$this->isHTTPS()) {
+      return null;
+    }
+
     $host = $this->getHost();
 
     // If there's no base domain configured, just use whatever the request