Why is session.cookie_secure=1 sending cookies over HTTP?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Why is session.cookie_secure=1 sending cookies over HTTP?

Post by mecha_godzilla »

Hi,

I have a set of scripts that must be accessible only via HTTPS, so if visitors land on the HTTP version of the page for some reason I automatically redirect them to the HTTPS version. To make sure the session cookie is only sent once they've landed on the HTTPS version I thought I'd set session.cookie_secure = 1 in my php.ini file, but what happens is that a cookie is still set when the HTTP version is loaded. Looking at the cookie in my browser controls, the Send For: value says "Encrypted connections only" yet it's still sent it anyway.

I realise session management is not the simplest of concepts in PHP but am I missing something really obvious here? I can probably handle the session cookie sending manually as I've written some custom handlers to store the session data in my DB, but I'd prefer to know why the session.cookie_secure value isn't doing what I expect it to do first before I end up writing some pointless work-around :D

Thanks,

Mecha Godzilla
s992
Forum Contributor
Posts: 124
Joined: Wed Oct 27, 2010 3:06 pm

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Post by s992 »

I have nothing constructive to add to this post, but I love your username and avatar.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Post by mecha_godzilla »

Thanks :mrgreen:
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Post by cpetercarter »

Have you tried session.cookie_secure=on (in php.ini)?
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Post by Bind »

Code: Select all

if(empty($_SERVER['HTTPS'] || $_SERVER['HTTPS']=='off'))
   {
       # do not set cookie
       # redirect to HTTPS
       die();
   }
# set https cookie 
PHP $_SERVER[] variables
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Post by mecha_godzilla »

cpetercarter wrote:Have you tried session.cookie_secure=on (in php.ini)?
I'll give that a try, but I think using session.cookie_secure=1 is working (in some way at least) because of the "Encrypted connections only" value being set in the cookie, which wasn't the case before. I've got around the problem - I hope - by putting a check in my script to only start the session if an SSL/TLS connection is present:

Code: Select all

if ($_SERVER['SERVER_PORT'] == 443) {
    session_set_save_handler('_open','_close','_read','_write','_destroy','_clean');
    session_start();
}
I could also use $_SERVER['HTTPS'] to test against as well I guess - I'm not sure whether one's more appropriate to use than the other. Hopefully there's an answer to this problem. It seems odd that PHP would still send the cookie regardless of whether there was an HTTP or HTTPS connection present.

Thanks,

M_G
Post Reply