From 733057e7d606c0d48e2ae78ae31f1c5eacc4531e Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Fri, 30 May 2014 15:08:15 +0000
Subject: [PATCH] Use a secure logged_in_cookie when the home URL is forced
 HTTPS (see #27954).

see #15330.

Built from https://develop.svn.wordpress.org/trunk@28627


git-svn-id: http://core.svn.wordpress.org/trunk@28447 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/pluggable.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index c51e5b6d2d..73faa67e09 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -818,8 +818,12 @@ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
 		$expire = 0;
 	}
 
-	if ( '' === $secure )
+	if ( '' === $secure ) {
 		$secure = is_ssl();
+	}
+
+	// Frontend cookie is secure when the auth cookie is secure and the site's home URL is forced HTTPS.
+	$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
 
 	/**
 	 * Filter whether the connection is secure.
@@ -840,7 +844,7 @@ function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
 	 * @param int  $user_id User ID.
 	 * @param bool $secure  Whether the connection is secure.
 	 */
-	$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', false, $user_id, $secure );
+	$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
 
 	if ( $secure ) {
 		$auth_cookie_name = SECURE_AUTH_COOKIE;