From 24e334815a569e8fe0e1946fad025aa2939b2d80 Mon Sep 17 00:00:00 2001
From: Arman <407448+armanist@users.noreply.github.com>
Date: Mon, 6 Apr 2026 12:52:52 +0400
Subject: [PATCH] Remember-me cookie in SessionAuthAdapter missing httpOnly and
 secure flags

---
 src/Auth/Adapters/SessionAuthAdapter.php      | 12 +++++++-
 .../Auth/Adapters/SessionAuthAdapterTest.php  | 28 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/Auth/Adapters/SessionAuthAdapter.php b/src/Auth/Adapters/SessionAuthAdapter.php
index c42d0987..c095ca52 100644
--- a/src/Auth/Adapters/SessionAuthAdapter.php
+++ b/src/Auth/Adapters/SessionAuthAdapter.php
@@ -40,6 +40,8 @@ class SessionAuthAdapter implements AuthenticatableInterface
 {
     use AuthTrait;
 
+    private const REMEMBER_TOKEN_LIFETIME = 2592000;
+
     /**
      * @throws AuthException
      */
@@ -201,7 +203,15 @@ private function setRememberToken(User $user): void
             [$this->keyFields[AuthKeys::REMEMBER_TOKEN] => $rememberToken]
         );
 
-        cookie()->set($this->keyFields[AuthKeys::REMEMBER_TOKEN], $rememberToken);
+        cookie()->set(
+            $this->keyFields[AuthKeys::REMEMBER_TOKEN],
+            $rememberToken,
+            self::REMEMBER_TOKEN_LIFETIME,
+            '/',
+            '',
+            true,
+            true
+        );
     }
 
     /**
diff --git a/tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php b/tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php
index c9257c05..a3f2c401 100644
--- a/tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php
+++ b/tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php
@@ -63,6 +63,34 @@ public function testWebSigninWithRemember(): void
         $this->assertTrue($this->sessionAuth->check());
     }
 
+    public function testWebSigninWithRememberSetsCookie(): void
+    {
+        $this->assertFalse(cookie()->has('remember_token'));
+
+        $this->sessionAuth->signin('admin@qt.com', 'qwerty', true);
+
+        $this->assertTrue(cookie()->has('remember_token'));
+        $this->assertNotEmpty(cookie()->get('remember_token'));
+    }
+
+    public function testWebSigninWithoutRememberDoesNotSetCookie(): void
+    {
+        $this->sessionAuth->signin('admin@qt.com', 'qwerty');
+
+        $this->assertFalse(cookie()->has('remember_token'));
+    }
+
+    public function testWebSignoutRemovesRememberCookie(): void
+    {
+        $this->sessionAuth->signin('admin@qt.com', 'qwerty', true);
+
+        $this->assertTrue(cookie()->has('remember_token'));
+
+        $this->sessionAuth->signout();
+
+        $this->assertFalse(cookie()->has('remember_token'));
+    }
+
     public function testWebSignout(): void
     {
         $this->assertFalse($this->sessionAuth->check());