On Sun, Nov 7, 2010 at 2:39 PM, Yannick Warnier <ywarn...@beeznest.org>wrote:

> Hi all,
> It came to my attention through the Netcraft newsletter[1] that cookies
> in a web application are not always sent encrypted when a server is
> contacted through HTTPS.

Not quite.  Requests and responses over HTTPS are encrypted, including the
cookie header.  However, in the resource you cited, there were security
issues because auth cookies were sent even over standard requests.  The
browser has to be told (through the flag) that the cookie should only be
sent on encrypted requests.

> Would someone know the internals of that function and whether there is a
> way to force it to secure=true when the connection is made through
> HTTPS? Or maybe my question doesn't make sense because I am missing the
> point on how it works?

Call this function with the appropriate settings before you call
session_start() (or make some changes to php.ini):

> I develop an open-source application which can be used through both HTTP
> and HTTPS, so I'm a bit worried about not having this question answered
> in the doc for session_start().

Perhaps a link could be added to the documentation, although the function
session_set_cookie_params() does appear in the secondary navigation in the
left column, and not all sessions use cookies.

> Thanks,
> Yannick Warnier
> [1]
> http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html
> [2] http://www.php.net/setcookie
> [3] http://www.php.net/session-start

Hope this helps,


Nephtali:  PHP web framework that functions beautifully

Reply via email to