From d0d15053675b98692e02bd96c75e068d71c45429 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 26 Feb 2026 01:25:36 +0900
Subject: [PATCH] Enable secure session and cookies by default if installed or
 upgraded in an HTTPS site

---
 common/framework/parsers/ConfigParser.php | 2 ++
 modules/install/install.controller.php    | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/common/framework/parsers/ConfigParser.php b/common/framework/parsers/ConfigParser.php
index 448cd10dc..19378874c 100644
--- a/common/framework/parsers/ConfigParser.php
+++ b/common/framework/parsers/ConfigParser.php
@@ -184,6 +184,8 @@ class ConfigParser
 		if (isset($db_info->use_ssl) && in_array($db_info->use_ssl, ['always', 'optional']))
 		{
 			$config['url']['ssl'] = 'always';
+			$config['session']['use_ssl'] = true;
+			$config['session']['use_ssl_cookies'] = true;
 		}
 		else
 		{
diff --git a/modules/install/install.controller.php b/modules/install/install.controller.php
index 8e1e7c995..ab4920775 100644
--- a/modules/install/install.controller.php
+++ b/modules/install/install.controller.php
@@ -204,6 +204,13 @@ class installController extends install
 		// Set the default umask.
 		$config['file']['umask'] = Rhymix\Framework\Storage::recommendUmask();
 
+		// Set default security settings.
+		if ($config['url']['ssl'] === 'always')
+		{
+			$config['session']['use_ssl'] = true;
+			$config['session']['use_ssl_cookies'] = true;
+		}
+
 		// Load the new configuration.
 		Rhymix\Framework\Config::setAll($config);
 		Context::loadDBInfo($config);