Page 1 of 1

Why is session.cookie_secure=1 sending cookies over HTTP?

Posted: Fri Nov 19, 2010 4:46 pm
by mecha_godzilla
Hi,

I have a set of scripts that must be accessible only via HTTPS, so if visitors land on the HTTP version of the page for some reason I automatically redirect them to the HTTPS version. To make sure the session cookie is only sent once they've landed on the HTTPS version I thought I'd set session.cookie_secure = 1 in my php.ini file, but what happens is that a cookie is still set when the HTTP version is loaded. Looking at the cookie in my browser controls, the Send For: value says "Encrypted connections only" yet it's still sent it anyway.

I realise session management is not the simplest of concepts in PHP but am I missing something really obvious here? I can probably handle the session cookie sending manually as I've written some custom handlers to store the session data in my DB, but I'd prefer to know why the session.cookie_secure value isn't doing what I expect it to do first before I end up writing some pointless work-around :D

Thanks,

Mecha Godzilla

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Posted: Fri Nov 19, 2010 4:52 pm
by s992
I have nothing constructive to add to this post, but I love your username and avatar.

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Posted: Fri Nov 19, 2010 4:55 pm
by mecha_godzilla
Thanks :mrgreen:

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Posted: Fri Nov 19, 2010 6:10 pm
by cpetercarter
Have you tried session.cookie_secure=on (in php.ini)?

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Posted: Fri Nov 19, 2010 7:13 pm
by Bind

Code: Select all

if(empty($_SERVER['HTTPS'] || $_SERVER['HTTPS']=='off'))
   {
       # do not set cookie
       # redirect to HTTPS
       die();
   }
# set https cookie 
PHP $_SERVER[] variables

Re: Why is session.cookie_secure=1 sending cookies over HTTP

Posted: Fri Nov 19, 2010 7:20 pm
by mecha_godzilla
cpetercarter wrote:Have you tried session.cookie_secure=on (in php.ini)?
I'll give that a try, but I think using session.cookie_secure=1 is working (in some way at least) because of the "Encrypted connections only" value being set in the cookie, which wasn't the case before. I've got around the problem - I hope - by putting a check in my script to only start the session if an SSL/TLS connection is present:

Code: Select all

if ($_SERVER['SERVER_PORT'] == 443) {
    session_set_save_handler('_open','_close','_read','_write','_destroy','_clean');
    session_start();
}
I could also use $_SERVER['HTTPS'] to test against as well I guess - I'm not sure whether one's more appropriate to use than the other. Hopefully there's an answer to this problem. It seems odd that PHP would still send the cookie regardless of whether there was an HTTP or HTTPS connection present.

Thanks,

M_G