fix #4067 Cookie（csrfToken）にsecure属性が付かない問題を解決 (#4068)

Co-authored-by: kato <[email protected]>
Co-authored-by: ryuring <[email protected]>

src/Application.php

@@ -64,6 +64,12 @@ public function bootstrap(): void
      */
     public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
     {
+        $csrfProtectionMiddlewareOptions = ['httponly' => true];
+        //リクエストがhttpsならcsrfTokenにもsecureヘッダを付与
+        $sessionConfig = (array) Configure::read('Session');
+        if (!empty($sessionConfig['ini']['session.cookie_secure']) || (int) ini_get('session.cookie_secure') === 1) {
+            $csrfProtectionMiddlewareOptions['secure'] =  true;
+        }
         $middlewareQueue
             // Catch any exceptions in the lower layers,
             // and make an error page/response
@@ -87,9 +93,7 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
 
             // Cross Site Request Forgery (CSRF) Protection Middleware
             // https://book.cakephp.org/5/en/security/csrf.html#cross-site-request-forgery-csrf-middleware
-            ->add(new CsrfProtectionMiddleware([
-                'httponly' => true,
-            ]));
+            ->add(new CsrfProtectionMiddleware($csrfProtectionMiddlewareOptions));
 
         return $middlewareQueue;
     }