Use secure cookie for HTTPS sites (#26999) (#27013)

Backport #26999 If the AppURL(ROOT_URL) is an HTTPS URL, then the COOKIE_SECURE's default value should be true. And, if a user visits an "http" site with "https" AppURL, they won't be able to login, and they should have been warned. The only problem is that the "language" can't be set either in such case, while I think it is not a serious problem, and it could be fixed easily if needed.
2025-08-09 11:08:19 +00:00 · 2023-09-11 17:59:00 +08:00
parent 3c53740244
commit b0a405c5fa
4 changed files with 5 additions and 5 deletions
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1724,8 +1724,8 @@ LEVEL = Info
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
 ;;
-;; If you use session in https only, default is false
-;COOKIE_SECURE = false
+;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
+;COOKIE_SECURE =
 ;;
 ;; Session GC time interval in seconds, default is 86400 (1 day)
 ;GC_INTERVAL_TIME = 86400