So, the secure flag gets set in the cookie itself and ensures that the cookie is only ever read over a secure connection?
PHP Manual says: When set to TRUE, the cookie will only be set if a secure connection exists. The default is FALSE. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]). This last part about it being "on the programmer" is what confuses me. This suggests to me that the "secure" parameter only applies to the setting of a cookie, but that I, the programmer, have to do something on my end to continue to keep it secure after it is set. -Aran On Jun 9, 10:07 pm, "David C. Zentgraf" <[EMAIL PROTECTED]> wrote: > Because the browser won't hand the cookie back to Cake over a non-SSL > connection anyway if it's been set as secure cookie(?). > > On 10 Jun 2008, at 13:57, aranworld wrote: > > > > > In the cookie component there is: > > > $secure = false > > > If set to true, it will only allow you to write a cookie if the > > connect is through an HTTPS connection. > > > But this flag has no impact on reading cookies. The component > > provides not method for ensuring that a cookie is only read under an > > SSL connection. > > > Am I misunderstanding something? If we secure the writing of the > > cookie, don't we also need to secure the reading of that same cookie > > to prevent hijacking? > > > Can someone explain why this SSL check for reading cookies isn't in > > the Component code? > > > -Aran --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
