Jump to content

Recommended Posts

 

(1) Is this right?

session.cookie_httponly and session.cookie_secure when set in php.ini or using ini_set will ensure that the session id cookie is only accessible through HTTP (and not JavaScript) and also that it is only sent when using a https connection. In other words, using this should ensure that the session id can't be seen by a 3rd party (they only see the encrypted value). Also, session.cookie_httponly/secure only affects the session id, not any other cookies that are set. Is this right?

 

(2) Is there a setting to ensure the httponly or secure flag is always added to cookies? So, if session.cookie_httponly/secure ensures the session id, what about non-session-id cookies?

 

'all.cookie_secure' or something sounds a good idea.

 

Thanks.

1)  not quite.  This is correct:

 

session.cookie_httponly and session.cookie_secure when set in php.ini or using ini_set will ensure that the session id cookie is only accessible through HTTP (and not JavaScript) and also that it is only sent when using a https connection. In other words, using this should ensure that the session id can't be seen by a 3rd party

 

This is not correct:

 

(they only see the encrypted value)

 

They would see nothing, and/or an entire encrypted data stream.  The cookies are transmitted along with the page itself, not as separate documents, so the entire page request contains headers, which may or may not contain cookies.  Since the entire transmission is encrypted due to the secure flag, they can only tell "some data is being sent."

 

2)  You can pass flags along with all setcookie calls.  I don't know if there's a php.ini setting for it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.