Use secure cookie for HTTPS sites (#26999)

If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's default value should be true. And, if a user visits an "http" site with "https" AppURL, they won't be able to login, and they should have been warned. The only problem is that the "language" can't be set either in such case, while I think it is not a serious problem, and it could be fixed easily if needed. ![image](https://github.com/go-gitea/gitea/assets/2114189/7bc9a859-dcc1-467d-bc7c-1dd6a10389e3)
author: wxiaoguang <wxiaoguang@gmail.com> 2023-09-11 17:03:51 +0800
committer: GitHub <noreply@github.com> 2023-09-11 17:03:51 +0800
commit: 998cea5888cb895159e35caf9fec969c440399d0 (patch)
tree: 1edbaa65443a824bcc1bbe2d1229a8ed7679214b /custom/conf/app.example.ini
parent: 6d96f0b0d1c74523b9f3d26360aa63d92c307959 (diff)
download: gitea-998cea5888cb895159e35caf9fec969c440399d0.tar.gz
gitea-998cea5888cb895159e35caf9fec969c440399d0.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index fbaea9dc27..f0b0cc298b 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1746,8 +1746,8 @@ LEVEL = Info
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
 ;;
-;; If you use session in https only, default is false
-;COOKIE_SECURE = false
+;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
+;COOKIE_SECURE =
 ;;
 ;; Session GC time interval in seconds, default is 86400 (1 day)
 ;GC_INTERVAL_TIME = 86400
author	wxiaoguang <wxiaoguang@gmail.com>	2023-09-11 17:03:51 +0800
committer	GitHub <noreply@github.com>	2023-09-11 17:03:51 +0800
commit	998cea5888cb895159e35caf9fec969c440399d0 (patch)
tree	1edbaa65443a824bcc1bbe2d1229a8ed7679214b /custom/conf/app.example.ini
parent	6d96f0b0d1c74523b9f3d26360aa63d92c307959 (diff)
download	gitea-998cea5888cb895159e35caf9fec969c440399d0.tar.gz gitea-998cea5888cb895159e35caf9fec969c440399d0.zip