laravel · mzaalan · Mar 21, 2016 · Mar 22, 2016 · Mar 22, 2016 · Mar 22, 2016
diff --git a/src/Illuminate/Cookie/CookieJar.php b/src/Illuminate/Cookie/CookieJar.php
@@ -30,6 +30,13 @@ class CookieJar implements JarContract
     protected $secure = false;
 
     /**
+     * The default httpOnly setting (defaults to true).
+     *
+     * @var bool
+     */
+    protected $httpOnly = true;
+
+	/**
      * All of the cookies queued for sending.
      *
      * @var array
@@ -48,9 +55,9 @@ class CookieJar implements JarContract
      * @param  bool    $httpOnly
      * @return \Symfony\Component\HttpFoundation\Cookie
      */
-    public function make($name, $value, $minutes = 0, $path = null, $domain = null, $secure = false, $httpOnly = true)
+    public function make($name, $value, $minutes = 0, $path = null, $domain = null, $secure = null, $httpOnly = null)
     {
-        list($path, $domain, $secure) = $this->getPathAndDomain($path, $domain, $secure);
+        list($path, $domain, $secure, $httpOnly) = $this->getPathAndDomain($path, $domain, $secure, $httpOnly);
 
         $time = ($minutes == 0) ? 0 : time() + ($minutes * 60);
 
@@ -68,7 +75,7 @@ public function make($name, $value, $minutes = 0, $path = null, $domain = null,
      * @param  bool    $httpOnly
      * @return \Symfony\Component\HttpFoundation\Cookie
      */
-    public function forever($name, $value, $path = null, $domain = null, $secure = false, $httpOnly = true)
+    public function forever($name, $value, $path = null, $domain = null, $secure = null, $httpOnly = null)
     {
         return $this->make($name, $value, 2628000, $path, $domain, $secure, $httpOnly);
     }
@@ -143,11 +150,12 @@ public function unqueue($name)
      * @param  string  $path
      * @param  string  $domain
      * @param  bool    $secure
+     * @param  bool    $httpOnly
      * @return array
      */
-    protected function getPathAndDomain($path, $domain, $secure = false)
+    protected function getPathAndDomain($path, $domain, $secure = null, $httpOnly = null)
     {
-        return [$path ?: $this->path, $domain ?: $this->domain, $secure ?: $this->secure];
+        return [$path ?: $this->path, $domain ?: $this->domain, isset($secure) ? $secure : $this->secure, isset($httpOnly) ? $httpOnly : $this->httpOnly];
     }
 
     /**
@@ -156,11 +164,12 @@ protected function getPathAndDomain($path, $domain, $secure = false)
      * @param  string  $path
      * @param  string  $domain
      * @param  bool    $secure
+     * @param  bool    $httpOnly
      * @return $this
      */
-    public function setDefaultPathAndDomain($path, $domain, $secure = false)
+    public function setDefaultPathAndDomain($path, $domain, $secure = false, $httpOnly = true)
     {
-        list($this->path, $this->domain, $this->secure) = [$path, $domain, $secure];
+        list($this->path, $this->domain, $this->secure, $this->httpOnly) = [$path, $domain, $secure, $httpOnly];
 
         return $this;
     }

diff --git a/src/Illuminate/Cookie/CookieServiceProvider.php b/src/Illuminate/Cookie/CookieServiceProvider.php
@@ -16,7 +16,7 @@ public function register()
         $this->app->singleton('cookie', function ($app) {
             $config = $app['config']['session'];
 
-            return (new CookieJar)->setDefaultPathAndDomain($config['path'], $config['domain'], $config['secure']);
+            return (new CookieJar)->setDefaultPathAndDomain($config['path'], $config['domain'], $config['secure'], data_get($config,'http_only',true));
         });
     }
 }
diff --git a/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php b/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php
@@ -3,8 +3,8 @@
 namespace Illuminate\Foundation\Http\Middleware;
 
 use Closure;
+use Illuminate\Support\Arr;
 use Illuminate\Foundation\Application;
-use Symfony\Component\HttpFoundation\Cookie;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Session\TokenMismatchException;
 
@@ -133,9 +133,8 @@ protected function addCookieToResponse($request, $response)
         $config = config('session');
 
         $response->headers->setCookie(
-            new Cookie(
-                'XSRF-TOKEN', $request->session()->token(), time() + 60 * 120,
-                $config['path'], $config['domain'], $config['secure'], false
+            cookie()->make(
+                'XSRF-TOKEN', $request->session()->token(), 120, null, null, null, Arr::get($config, 'http_only', false)
             )
         );
 

diff --git a/src/Illuminate/Foundation/helpers.php b/src/Illuminate/Foundation/helpers.php
@@ -241,7 +241,7 @@ function config_path($path = '')
      * @param  bool    $httpOnly
      * @return \Symfony\Component\HttpFoundation\Cookie
      */
-    function cookie($name = null, $value = null, $minutes = 0, $path = null, $domain = null, $secure = false, $httpOnly = true)
+    function cookie($name = null, $value = null, $minutes = 0, $path = null, $domain = null, $secure = null, $httpOnly = null)
     {
         $cookie = app(CookieFactory::class);
 

diff --git a/src/Illuminate/Session/Middleware/StartSession.php b/src/Illuminate/Session/Middleware/StartSession.php
@@ -180,7 +180,7 @@ protected function addCookieToResponse(Response $response, SessionInterface $ses
         if ($this->sessionIsPersistent($config = $this->manager->getSessionConfig())) {
             $response->headers->setCookie(new Cookie(
                 $session->getName(), $session->getId(), $this->getCookieExpirationDate(),
-                $config['path'], $config['domain'], Arr::get($config, 'secure', false)
+                $config['path'], $config['domain'], Arr::get($config, 'secure', false), Arr::get($config, 'http_only', true)
             ));
         }
     }