Merge pull request #4874 from magento-mpi/MAGETWO-99161

MAGETWO-99161: Frontend cookies are not set with secure flag on https

Author: dhorytskyi

Diff for: app/code/Magento/Cookie/Block/DataProviders/SessionConfig.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Cookie\Block\DataProviders;
+
+use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Provide cookie configuration
+ */
+class SessionConfig implements ArgumentInterface
+{
+    /**
+     * Session config
+     *
+     * @var ConfigInterface
+     */
+    private $sessionConfig;
+
+    /**
+     * Constructor
+     *
+     * @param ConfigInterface $sessionConfig
+     */
+    public function __construct(
+        ConfigInterface $sessionConfig
+    ) {
+        $this->sessionConfig = $sessionConfig;
+    }
+    /**
+     * Get session.cookie_secure
+     *
+     * @return bool
+     * @SuppressWarnings(PHPMD.BooleanGetMethodName)
+     */
+    public function getCookieSecure()
+    {
+        return $this->sessionConfig->getCookieSecure();
+    }
+}

Diff for: app/code/Magento/Cookie/view/adminhtml/layout/default.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
+    <body>
+        <referenceContainer name="after.body.start">
+            <block class="Magento\Framework\View\Element\Js\Cookie" name="cookie_config" template="Magento_Cookie::html/cookie.phtml">
+                <arguments>
+                    <argument name="session_config" xsi:type="object">Magento\Cookie\Block\DataProviders\SessionConfig</argument>
+                </arguments>
+            </block>
+        </referenceContainer>
+    </body>
+</page>

Diff for: app/code/Magento/Cookie/view/base/requirejs-config.js

@@ -0,0 +1,10 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+var config = {
+    paths: {
+        'jquery/jquery-storageapi': 'Magento_Cookie/js/jquery.storageapi.extended'
+    }
+};

Diff for: app/code/Magento/Cookie/view/base/templates/html/cookie.phtml

@@ -0,0 +1,17 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/**
+ * Cookie settings initialization script
+ *
+ * @var $block \Magento\Framework\View\Element\Js\Cookie
+ */
+?>
+
+<script>
+    window.cookiesConfig = window.cookiesConfig || {};
+    window.cookiesConfig.secure = <?= /* @noEscape */ $block->getSessionConfig()->getCookieSecure() ? 'true' : 'false' ?>;
+</script>

Diff for: app/code/Magento/Cookie/view/base/web/js/jquery.storageapi.extended.js

@@ -0,0 +1,69 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+define([
+    'jquery',
+    'jquery/jquery.cookie',
+    'jquery/jquery.storageapi.min'
+], function ($) {
+    'use strict';
+
+    /**
+     *
+     * @param {Object} storage
+     * @private
+     */
+    function _extend(storage) {
+        $.extend(storage, {
+            _secure: window.cookiesConfig ? window.cookiesConfig.secure : false,
+
+            /**
+             * Set value under name
+             * @param {String} name
+             * @param {String} value
+             * @param {Object} [options]
+             */
+            setItem: function (name, value, options) {
+                var _default = {
+                    expires: this._expires,
+                    path: this._path,
+                    domain: this._domain,
+                    secure: this._secure
+                };
+
+                $.cookie(this._prefix + name, value, $.extend(_default, options || {}));
+            },
+
+            /**
+             * Set default options
+             * @param {Object} c
+             * @returns {storage}
+             */
+            setConf: function (c) {
+                if (c.path) {
+                    this._path = c.path;
+                }
+
+                if (c.domain) {
+                    this._domain = c.domain;
+                }
+
+                if (c.expires) {
+                    this._expires = c.expires;
+                }
+
+                if (typeof c.secure !== 'undefined') {
+                    this._secure = c.secure;
+                }
+
+                return this;
+            }
+        });
+    }
+
+    if (window.cookieStorage) {
+        _extend(window.cookieStorage);
+    }
+});

Diff for: app/code/Magento/Cookie/view/frontend/layout/default.xml

@@ -9,6 +9,11 @@
     <body>
         <referenceContainer name="after.body.start">
             <block class="Magento\Cookie\Block\Html\Notices" name="cookie_notices" template="Magento_Cookie::html/notices.phtml"/>
+            <block class="Magento\Framework\View\Element\Js\Cookie" name="cookie_config" template="Magento_Cookie::html/cookie.phtml">
+                <arguments>
+                    <argument name="session_config" xsi:type="object">Magento\Cookie\Block\DataProviders\SessionConfig</argument>
+                </arguments>
+            </block>
         </referenceContainer>
     </body>
 </page>

Diff for: app/code/Magento/PageCache/Plugin/RegisterFormKeyFromCookie.php

@@ -10,10 +10,10 @@
 namespace Magento\PageCache\Plugin;
 
 use Magento\Framework\App\PageCache\FormKey as CacheFormKey;
-use Magento\Framework\Escaper;
 use Magento\Framework\Data\Form\FormKey;
-use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
+use Magento\Framework\Escaper;
 use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 
 /**
  * Allow for registration of a form key through cookies.
@@ -46,7 +46,7 @@ class RegisterFormKeyFromCookie
     private $sessionConfig;
 
     /**
-     * @param CacheFormKey $formKey
+     * @param CacheFormKey $cacheFormKey
      * @param Escaper $escaper
      * @param FormKey $formKey
      * @param CookieMetadataFactory $cookieMetadataFactory
@@ -70,7 +70,6 @@ public function __construct(
      * Set form key from the cookie.
      *
      * @return void
-     *
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function beforeDispatch(): void
@@ -85,6 +84,8 @@ public function beforeDispatch(): void
     }
 
     /**
+     * Set form key cookie
+     *
      * @param string $formKey
      * @return void
      */
@@ -94,6 +95,7 @@ private function updateCookieFormKey(string $formKey): void
             ->createPublicCookieMetadata();
         $cookieMetadata->setDomain($this->sessionConfig->getCookieDomain());
         $cookieMetadata->setPath($this->sessionConfig->getCookiePath());
+        $cookieMetadata->setSecure($this->sessionConfig->getCookieSecure());
         $lifetime = $this->sessionConfig->getCookieLifetime();
         if ($lifetime !== 0) {
             $cookieMetadata->setDuration($lifetime);