iancarroll

Great, thanks. Does normally indicate it's still possible? A testing installation would still be ideal.

What are the requirements for a developer license? We have a Monthly Unbranded license from LicenseCart, but I don't see any option to acquire one. I'd like to test 3.4.

I'm trying the following patch but it doesn't work. I take it there's additional code elsewhere... http://pastie.org/9796661

Thanks. Is the file that contains the cookie logic encoded (is it possible to make the change myself)?

(I use Nginx, but there might be something similar) Making it a configurable option or just checking if the session is over TLS before setting the flag would work fine. The point of the flag is to protect against you not forcing TLS (server misconfig) when your server normally would use it.

Cookies created by Blesta are not marked as secure. Pretty easy to fix. Strict-Transport-Security does fix this, but it would be better for Blesta to set it. Is there a quick modification I can make in the meantime to patch this?