There are three calls to setrawcookie

If the WebSocket URL starts with the "wss" prefix instead of just "ws", the secure flag should be set for the cookie.

This is independent of whether the Drupal site itself is secured with HTTPS as the cookies only need to be sent to the WebSocket server.

Comments

pocock created an issue.