Do I understand session.cookie_httponly / secure

[johnsmith153]

 

(1) Is this right?

session.cookie_httponly and session.cookie_secure when set in php.ini or using ini_set will ensure that the session id cookie is only accessible through HTTP (and not JavaScript) and also that it is only sent when using a https connection. In other words, using this should ensure that the session id can't be seen by a 3rd party (they only see the encrypted value). Also, session.cookie_httponly/secure only affects the session id, not any other cookies that are set. Is this right?

 

(2) Is there a setting to ensure the httponly or secure flag is always added to cookies? So, if session.cookie_httponly/secure ensures the session id, what about non-session-id cookies?

 

'all.cookie_secure' or something sounds a good idea.

 

Thanks.

[ManiacDan]

1)  not quite.  This is correct:

 

session.cookie_httponly and session.cookie_secure when set in php.ini or using ini_set will ensure that the session id cookie is only accessible through HTTP (and not JavaScript) and also that it is only sent when using a https connection. In other words, using this should ensure that the session id can't be seen by a 3rd party

 

This is not correct:

 

(they only see the encrypted value)

 

They would see nothing, and/or an entire encrypted data stream.  The cookies are transmitted along with the page itself, not as separate documents, so the entire page request contains headers, which may or may not contain cookies.  Since the entire transmission is encrypted due to the secure flag, they can only tell "some data is being sent."

 

2)  You can pass flags along with all setcookie calls.  I don't know if there's a php.ini setting for it.