Cookie still set on HTTP with ini_set('session.cookie_secure',1);

Question

My config file looks like this:

ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);

session_start();
//database connection part...

When accessing this page via https://www.mysite.com/config.php, the PHPSESSID cookie it's "Secure" slot is empty. Visiting the page via http://www.mysite.com/config.php shows the exact same cookie, with the same value.

I'm new to this so maybe I'm wrong, but this shouldn't happen, right? What am I doing wrong?

Thanks!

Well, you start your session before changing session settings. I'd expect settings to not have effect. — Álvaro González, Dec 30 '13 at 11:29
I had the session_start part after the ini_set part first, but that didn't work either... I'll update my question. — binoculars, Dec 30 '13 at 11:38
if you check the cookie in your browser preferences, is the secure flag set? — Noishe, Dec 30 '13 at 13:13
No... it's says: "for all connections". Still haven't figured out why it's not set to "secure"... — binoculars, Jan 27 '14 at 17:21

score 4 · Answer 1 · answered Jan 31 '17 at 15:16

4

The ini_set method requires a string value so update your code to the following:

ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.use_only_cookies', '1');

session_start();

answered Jan 31 '17 at 15:16

Danny Thompson

1,526
1
11
18

score 0 · Answer 2 · edited May 23 '17 at 11:53

The session id will be sent to the client regardless of HTTP or HTTPS. You must make this distinction in your code because, apparently, PHP does not.

Fiddle with this on http (not https), leave cookie_secure set to 'on'. You will see that the cookie is transmitted to the client. (Use your favorite cookie analysis here.) But, on reload, the cookie is not submitted back to the server. cookie_secure - the client will transmit the cookie only over a secure connection.

<?php
  ini_set('session.cookie_secure','on');
  session_name('test');
  session_start();
  session_regenerate_id();
  echo "test: '".$_COOKIE['test']."'";
?>

Change the setting to 'off' and, after the second reload, you will see that the session cookie is transmitted back to the server.

To validate that you on a secure connection and should even call session_start:

<?php
  $secure = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] != "" );
  if(!$secure) {
    $r = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
    header("Location: $r");
    exit("use https!");
  }
  //if($secure) {
    session_start();
    /* and other secure happenings;;; */
  //}
?>

or How to find out if you're using HTTPS without $_SERVER['HTTPS']

Note: This looks like a security flaw in PHP, to me, since the session id will be transmitted in cleartext: according to OWASP this is exactly what the SecureFlag is intended to prevent. https://www.owasp.org/index.php/SecureFlag --- I am using PHP 5.5.8 ; Perhaps this is a 'feature' of the language. The definition seems to be directed solely toward the client and not the server.

Did you clear your cookies between these tests? I also thought the `cookie_secure` setting wasn't working but then I tried it in an Incognito tab in Chrome and it worked. My server is running PHP 5.3.3. — Matt Browne, Jun 15 '16 at 18:09

Cookie still set on HTTP with ini_set('session.cookie_secure',1);

2 Answers2

Linked