I have a set of scripts that must be accessible only via HTTPS, so if visitors land on the HTTP version of the page for some reason I automatically redirect them to the HTTPS version. To make sure the session cookie is only sent once they've landed on the HTTPS version I thought I'd set session.cookie_secure = 1 in my php.ini file, but what happens is that a cookie is still set when the HTTP version is loaded. Looking at the cookie in my browser controls, the Send For: value says "Encrypted connections only" yet it's still sent it anyway.
I realise session management is not the simplest of concepts in PHP but am I missing something really obvious here? I can probably handle the session cookie sending manually as I've written some custom handlers to store the session data in my DB, but I'd prefer to know why the session.cookie_secure value isn't doing what I expect it to do first before I end up writing some pointless work-around
Thanks,
Mecha Godzilla