> -----Original Message----- > From: Adam Richardson [mailto:simpleshot@xxxxxxxxx] > Sent: Sunday, November 07, 2010 2:22 PM > To: PHP-General > Subject: Re: Is session_start() using encrypted cookies with HTTPS > > On Sun, Nov 7, 2010 at 2:39 PM, Yannick Warnier > <ywarnier@xxxxxxxxxxxx>wrote: > > > Hi all, > > > > It came to my attention through the Netcraft newsletter[1] that > > cookies in a web application are not always sent encrypted when a > > server is contacted through HTTPS. > > > > Not quite. Requests and responses over HTTPS are encrypted, including the > cookie header. However, in the resource you cited, there were security > issues because auth cookies were sent even over standard requests. The > browser has to be told (through the flag) that the cookie should only be sent > on encrypted requests. > > > > > > Would someone know the internals of that function and whether there is > > a way to force it to secure=true when the connection is made through > > HTTPS? Or maybe my question doesn't make sense because I am missing > > the point on how it works? > > > > Call this function with the appropriate settings before you call > session_start() (or make some changes to php.ini): > http://php.net/manual/en/function.session-set-cookie-params.php > > > > > > I develop an open-source application which can be used through both > > HTTP and HTTPS, so I'm a bit worried about not having this question > > answered in the doc for session_start(). > > > > Perhaps a link could be added to the documentation, although the function > session_set_cookie_params() does appear in the secondary navigation in > the left column, and not all sessions use cookies. > > > > > > Thanks, > > > > Yannick Warnier > > > > [1] > > > > http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-r > > emains-firesheepable.html > > [2] http://www.php.net/setcookie > > [3] http://www.php.net/session-start > > > > Hope this helps, > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com Couldn't Yannick also use $_SERVER['HTTPS'] and take action for the session and cookies accordingly? Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
