codeigniter4 · kenjis · Apr 25, 2024 · Apr 21, 2024
diff --git a/system/HTTP/ResponseTrait.php b/system/HTTP/ResponseTrait.php
@@ -670,7 +670,7 @@ private function dispatchCookies(): void
 
         foreach ($this->cookieStore->display() as $cookie) {
             if ($cookie->isSecure() && ! $request->isSecure()) {
-                throw SecurityException::forDisallowedAction();
+                throw SecurityException::forInsecureCookie();
             }
 
             $name    = $cookie->getPrefixedName();

diff --git a/system/Language/en/Security.php b/system/Language/en/Security.php
@@ -14,6 +14,7 @@
 // Security language settings
 return [
     'disallowedAction' => 'The action you requested is not allowed.',
+    'insecureCookie'   => 'Attempted to send a secure cookie over a non-secure connection.',
 
     // @deprecated
     'invalidSameSite' => 'The SameSite value must be None, Lax, Strict, or a blank string. Given: "{0}"',

diff --git a/system/Security/Exceptions/SecurityException.php b/system/Security/Exceptions/SecurityException.php
@@ -20,6 +20,7 @@ class SecurityException extends FrameworkException implements HTTPExceptionInter
 {
     /**
      * Throws when some specific action is not allowed.
+     * This is used for CSRF protection.
      *
      * @return static
      */
@@ -28,6 +29,15 @@ public static function forDisallowedAction()
         return new static(lang('Security.disallowedAction'), 403);
     }
 
+    /**
+     * Throws if a secure cookie is dispatched when the current connection is not
+     * secure.
+     */
+    public static function forInsecureCookie(): static
+    {
+        return new static(lang('Security.insecureCookie'));
+    }
+
     /**
      * Throws when the source string contains invalid UTF-8 characters.
      *

diff --git a/tests/system/HTTP/ResponseSendTest.php b/tests/system/HTTP/ResponseSendTest.php
@@ -162,14 +162,11 @@ public function testRedirectResponseCookies(): void
 
     /**
      * Make sure secure cookies are not sent with HTTP request
-     *
-     * @ runInSeparateProcess
-     * @ preserveGlobalState  disabled
      */
     public function testDoNotSendUnSecureCookie(): void
     {
         $this->expectException(SecurityException::class);
-        $this->expectExceptionMessage('The action you requested is not allowed');
+        $this->expectExceptionMessage('Attempted to send a secure cookie over a non-secure connection.');
 
         $request = $this->createMock(IncomingRequest::class);
         $request->method('isSecure')->willReturn(false);

diff --git a/user_guide_src/source/changelogs/v4.5.2.rst b/user_guide_src/source/changelogs/v4.5.2.rst
@@ -18,6 +18,8 @@ BREAKING
 Message Changes
 ***************
 
+- Added ``Security.insecureCookie`` message.
+
 *******
 Changes
 *******