fix: set_cookie() does not use Config\Cookie values

Author: kenjis

system/HTTP/ResponseTrait.php

@@ -17,6 +17,7 @@
 use CodeIgniter\HTTP\Exceptions\HTTPException;
 use CodeIgniter\Pager\PagerInterface;
 use CodeIgniter\Security\Exceptions\SecurityException;
+use Config\Cookie as CookieConfig;
 use Config\Services;
 use DateTime;
 use DateTimeZone;
@@ -544,8 +545,8 @@ public function redirect(string $uri, string $method = 'auto', ?int $code = null
      * @param string              $domain   Cookie domain (e.g.: '.yourdomain.com')
      * @param string              $path     Cookie path (default: '/')
      * @param string              $prefix   Cookie name prefix ('': the default prefix)
-     * @param bool                $secure   Whether to only transfer cookies via SSL
-     * @param bool                $httponly Whether only make the cookie accessible via HTTP (no javascript)
+     * @param bool|null           $secure   Whether to only transfer cookies via SSL
+     * @param bool|null           $httponly Whether only make the cookie accessible via HTTP (no javascript)
      * @param string|null         $samesite
      *
      * @return $this
@@ -557,8 +558,8 @@ public function setCookie(
         $domain = '',
         $path = '/',
         $prefix = '',
-        $secure = false,
-        $httponly = false,
+        $secure = null,
+        $httponly = null,
         $samesite = null
     ) {
         if ($name instanceof Cookie) {
@@ -567,8 +568,17 @@ public function setCookie(
             return $this;
         }
 
+        /** @var CookieConfig|null $cookieConfig */
+        $cookieConfig = config('Cookie');
+
+        if ($cookieConfig) {
+            $secure ??= $cookieConfig->secure;
+            $httponly ??= $cookieConfig->httponly;
+            $samesite ??= $cookieConfig->samesite;
+        }
+
         if (is_array($name)) {
-            // always leave 'name' in last place, as the loop will break otherwise, due to $$item
+            // always leave 'name' in last place, as the loop will break otherwise, due to ${$item}
             foreach (['samesite', 'value', 'expire', 'domain', 'path', 'prefix', 'secure', 'httponly', 'name'] as $item) {
                 if (isset($name[$item])) {
                     ${$item} = $name[$item];

system/Helpers/cookie_helper.php

@@ -30,8 +30,8 @@
      * @param string       $domain   For site-wide cookie. Usually: .yourdomain.com
      * @param string       $path     The cookie path
      * @param string       $prefix   The cookie prefix ('': the default prefix)
-     * @param bool         $secure   True makes the cookie secure
-     * @param bool         $httpOnly True makes the cookie accessible via http(s) only (no javascript)
+     * @param bool|null    $secure   True makes the cookie secure
+     * @param bool|null    $httpOnly True makes the cookie accessible via http(s) only (no javascript)
      * @param string|null  $sameSite The cookie SameSite value
      *
      * @see \CodeIgniter\HTTP\Response::setCookie()
@@ -43,8 +43,8 @@ function set_cookie(
         string $domain = '',
         string $path = '/',
         string $prefix = '',
-        bool $secure = false,
-        bool $httpOnly = false,
+        ?bool $secure = null,
+        ?bool $httpOnly = null,
         ?string $sameSite = null
     ) {
         $response = Services::response();

tests/system/Helpers/CookieHelperTest.php

@@ -20,6 +20,7 @@
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\Mock\MockResponse;
 use Config\App;
+use Config\Cookie;
 use Config\Cookie as CookieConfig;
 use Config\Services;
 
@@ -89,6 +90,31 @@ public function testSetCookieByArrayParameters()
         delete_cookie($this->name);
     }
 
+    public function testSetCookieConfigCookieIsUsed()
+    {
+        /** @var Cookie $config */
+        $config           = config('Cookie');
+        $config->secure   = true;
+        $config->httponly = true;
+        $config->samesite = 'None';
+        Factories::injectMock('config', 'Cookie', $config);
+
+        $cookieAttr = [
+            'name'   => $this->name,
+            'value'  => $this->value,
+            'expire' => $this->expire,
+        ];
+        set_cookie($cookieAttr);
+
+        $cookie  = $this->response->getCookie($this->name);
+        $options = $cookie->getOptions();
+        $this->assertTrue($options['secure']);
+        $this->assertTrue($options['httponly']);
+        $this->assertSame('None', $options['samesite']);
+
+        delete_cookie($this->name);
+    }
+
     public function testSetCookieSecured()
     {
         $pre       = 'Hello, I try to';