"Curiosity is the very basis of education and if you tell me that curiosity killed the cat, I say only the cat died nobly." - Arnold Edinborough

As of Laravel 5.0 it’s still not possible to set the remember me cookie with a secure flag. This is slightly weird as there is a configuration option for secure session cookies. Fortunately modifying Laravel to set a secure log-in cookie is not too difficult – all we need to do is provide a custom Guard class for the Auth driver which overrides the setRecaller() method.

This code is done against Laravel 4.2, I’m not sure how simple it is to adapt to 5.0 as I have not had a chance to work with that yet. Feel free to let me know in a comment.

<?php 
/*  
 * Custom guard class that sets a secure log-in cookie.
 */ 
class SecureGuard extends \Illuminate\Auth\Guard
{
	/**
	 * Create a secure remember me cookie for a given ID.
	 *
	 * @param  string  $value
	 * @return \Symfony\Component\HttpFoundation\Cookie
	 */
	protected function createRecaller($value)
	{
		return $this->getCookieJar()->forever($this->getRecallerName(), $value, null, null, true);
	}
}

Now that we have our custom guard class we need to tell Laravel to use this new class. While not completely intuitive the best way to do that is to configure a custom auth driver where we wrap the default EloquentUserProvider class in our new SecureGuard class. Add the following to your global.php file.

<?php
/*
|--------------------------------------------------------------------------
| Auth Driver
|--------------------------------------------------------------------------
|
| Extend the auth driver to support secure cookies.
|
*/

Auth::extend('SecureAuth', function($app)
{
	$model    = $app['config']['auth.model'];
	$provider = new Illuminate\Auth\EloquentUserProvider($app['hash'], $model);

	return new SecureGuard($provider, $app['session.store']);
});

Finally update your auth.php config file to set the new auth driver.

'driver' => 'SecureAuth',


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>