http://cookies.lcs.mit.edu/sslflag.html
> One of the values in a cookie is the SSL? bit. If this bit is set to > true, then the cookie will only be sent back to the server over a > connection which is encrypted with SSL. If it is set to false, the > cookie will be sent whenever the user visits the domain. On 10 Jun 2008, at 14:44, aranworld wrote: > > So, the secure flag gets set in the cookie itself and ensures that the > cookie is only ever read over a secure connection? > > PHP Manual says: > > When set to TRUE, the cookie will only be set if a secure connection > exists. > The default is FALSE. On the server-side, it's on the programmer to > send this > kind of cookie only on secure connection (e.g. with respect to > $_SERVER["HTTPS"]). > > This last part about it being "on the programmer" is what confuses > me. This suggests to me that the "secure" parameter only applies to > the setting of a cookie, but that I, the programmer, have to do > something on my end to continue to keep it secure after it is set. > > -Aran > > > > On Jun 9, 10:07 pm, "David C. Zentgraf" <[EMAIL PROTECTED]> wrote: >> Because the browser won't hand the cookie back to Cake over a non-SSL >> connection anyway if it's been set as secure cookie(?). >> >> On 10 Jun 2008, at 13:57, aranworld wrote: >> >> >> >>> In the cookie component there is: >> >>> $secure = false >> >>> If set to true, it will only allow you to write a cookie if the >>> connect is through an HTTPS connection. >> >>> But this flag has no impact on reading cookies. The component >>> provides not method for ensuring that a cookie is only read under an >>> SSL connection. >> >>> Am I misunderstanding something? If we secure the writing of the >>> cookie, don't we also need to secure the reading of that same cookie >>> to prevent hijacking? >> >>> Can someone explain why this SSL check for reading cookies isn't in >>> the Component code? >> >>> -Aran > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
