On Sun, Nov 7, 2010 at 2:39 PM, Yannick Warnier <ywarnier@xxxxxxxxxxxx>wrote: > Hi all, > > It came to my attention through the Netcraft newsletter[1] that cookies > in a web application are not always sent encrypted when a server is > contacted through HTTPS. > Not quite. Requests and responses over HTTPS are encrypted, including the cookie header. However, in the resource you cited, there were security issues because auth cookies were sent even over standard requests. The browser has to be told (through the flag) that the cookie should only be sent on encrypted requests. > > Would someone know the internals of that function and whether there is a > way to force it to secure=true when the connection is made through > HTTPS? Or maybe my question doesn't make sense because I am missing the > point on how it works? > Call this function with the appropriate settings before you call session_start() (or make some changes to php.ini): http://php.net/manual/en/function.session-set-cookie-params.php > > I develop an open-source application which can be used through both HTTP > and HTTPS, so I'm a bit worried about not having this question answered > in the doc for session_start(). > Perhaps a link could be added to the documentation, although the function session_set_cookie_params() does appear in the secondary navigation in the left column, and not all sessions use cookies. > > Thanks, > > Yannick Warnier > > [1] > > http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html > [2] http://www.php.net/setcookie > [3] http://www.php.net/session-start > Hope this helps, Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
