Hi all, On Mon, Mar 28, 2016 at 9:23 PM, Chris Riley <t.carn...@gmail.com> wrote: > You are right, perhaps this should be controlled simply by an ini flag: > session https only. > > > On Mon, 28 Mar 2016, 01:09 Stanislav Malyshev, <smalys...@gmail.com> wrote: >> >> Hi! >> >> >> Could we also add HTTPS detection and enable the secure flag by default >> >> when a session is established on an HTTPS endpoint? >> >> You can not see if your connection would be HTTPS or not - connection >> can be terminated on frontend services (like nginx or varnish) that >> handle https and the pass the actual work to backend like fpm or apache >> or whatever it is. In this situation, you may have no information about >> if the connection to the client is HTTPS or not. >> >> And in general, AFAIK there is no standard protocol to establishing this >> kind of info. There are all kinds of ways people do it, but each of them >> is peculiar for specific setup. >> >> I also think it is a mistake to have default behavior controlled by >> external factors beyond server admin's control. Server behavior should >> be predictable. The admin should set it up properly, if the admin is not >> knowledgeable enough to set it up, I don't think we can improve it by >> introducing variable defaults into the mix.
It can be made half-automatic by specifying and detecting HTTPS connection flag. I think half-automatic will be mostly the same as current httponly INI setting. It could be confusing for sites that support both HTTP and HTTPS, too. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
