Is session_start() using encrypted cookies with HTTPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

It came to my attention through the Netcraft newsletter[1] that cookies
in a web application are not always sent encrypted when a server is
contacted through HTTPS.

Looking at the setcookie()[2] documentation, there is effectively a
specific parameter (set to false by default). The description of this
parameter says:
"Indicates that the cookie should only be transmitted over a secure
HTTPS connection from the client. When set to TRUE, the cookie will only
be set if a secure connection exists. On the server-side, it's on the
programmer to send this kind of cookie only on secure connection (e.g.
with respect to $_SERVER["HTTPS"])."

This part is clear. No problem with that.

However, my application relies on the session_start()[3] function, which
doesn't say anything about the potential differences in behaviour
between a secure and a non-secure connection (ie HTTPS or HTTP) when the
session identifier is set to be passed through cookies. However, the
session ID is still passed through a cookie, so somehow the cookie must
be set with a decision on whether the mode is secure or not.

Would someone know the internals of that function and whether there is a
way to force it to secure=true when the connection is made through
HTTPS? Or maybe my question doesn't make sense because I am missing the
point on how it works?

I develop an open-source application which can be used through both HTTP
and HTTPS, so I'm a bit worried about not having this question answered
in the doc for session_start().

Thanks,

Yannick Warnier

[1]
http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html
[2] http://www.php.net/setcookie
[3] http://www.php.net/session-start



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux