From 5b8d0011b3c0757f2a882561d76a0b1331525e7d Mon Sep 17 00:00:00 2001
From: kato <kato@e-catchup.jp>
Date: Thu, 5 Dec 2024 17:14:23 +0900
Subject: [PATCH] =?UTF-8?q?fix=20#4067=20Cookie=EF=BC=88csrfToken=EF=BC=89?=
 =?UTF-8?q?=E3=81=ABsecure=E5=B1=9E=E6=80=A7=E3=81=8C=E4=BB=98=E3=81=8B?=
 =?UTF-8?q?=E3=81=AA=E3=81=84=E5=95=8F=E9=A1=8C=E3=82=92=E8=A7=A3=E6=B1=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Application.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/Application.php b/src/Application.php
index c4a2b3fa6b..af06a1976e 100644
--- a/src/Application.php
+++ b/src/Application.php
@@ -64,6 +64,12 @@ public function bootstrap(): void
      */
     public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
     {
+        $csrfProtectionMiddlewareOptions = ['httponly' => true];
+        //リクエストがhttpsならcsrfTokenにもsecureヘッダを付与
+        $sessionConfig = (array)Configure::read('Session');
+        if (!empty($sessionConfig['ini']['session.cookie_secure']) || ini_get('session.cookie_secure') == 1) {
+            $csrfProtectionMiddlewareOptions['secure'] =  true;
+        }
         $middlewareQueue
             // Catch any exceptions in the lower layers,
             // and make an error page/response
@@ -87,9 +93,7 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
 
             // Cross Site Request Forgery (CSRF) Protection Middleware
             // https://book.cakephp.org/5/en/security/csrf.html#cross-site-request-forgery-csrf-middleware
-            ->add(new CsrfProtectionMiddleware([
-                'httponly' => true,
-            ]));
+            ->add(new CsrfProtectionMiddleware($csrfProtectionMiddlewareOptions));
 
         return $middlewareQueue;
     }