From 8369b6b13333e4dde69eddbb4a1fe8b9caa2755c Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 7 Oct 2015 19:43:12 +0000
Subject: [PATCH] Set autologin cookie as secure by default when using https
 (#20935).

git-svn-id: http://svn.redmine.org/redmine/trunk@14648 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/account_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index d5e0f30e2..26121ce4a 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -265,11 +265,15 @@ class AccountController < ApplicationController
 
   def set_autologin_cookie(user)
     token = Token.create(:user => user, :action => 'autologin')
+    secure = Redmine::Configuration['autologin_cookie_secure']
+    if secure.nil?
+      secure = request.ssl?
+    end
     cookie_options = {
       :value => token.value,
       :expires => 1.year.from_now,
       :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),
-      :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false),
+      :secure => secure,
       :httponly => true
     }
     cookies[autologin_cookie_name] = cookie_options
-- 
2.39.5