-1

So I did some digging and did not find a satisfactory answer to my question concerning the PHP setcookie() parameter secure. The documentation says the following:

Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to true, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

What I do not understand is the last part. What is meant by "On the server-side[...]"?

I did some testing and on my local machine, cookies are set even without https when secure is set to true. On my webserver, they are not. So does the browser consider localhost to be secure even without https?

I both set secure to true and check $_SERVER["HTTPS"] to be on the safe side, but I would like to know what exactly secure does, or rather what it does not do.

Best wishes and thanks!

MAChitgarha
  • 3,728
  • 2
  • 33
  • 40
Johannes
  • 11
  • 3
  • Localhost is considered secure, and you might be already on https://localhost - check out for that. – Souvik Jul 03 '22 at 10:36
  • It's a flag for the browser. If set, the browser should not send the value back in a `Cookie` HTTP request header unless the communication is encrypted. The note about server-side means that it's up to you to send the cookie value (`Set-Cookie` HTTP response header) using an insecure channel. But I cannot reproduce the behaviour you describe; on Windows 10, neither Chrome nor Firefox send the value in the request if secure is set to true. – Álvaro González Jul 03 '22 at 10:36
  • Alright, localhost seems to be an exception: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - It doesn't work for me because I wasn't testing in localhost but in some other domain name that resolves to a local address. – Álvaro González Jul 03 '22 at 10:43

2 Answers2

0

You set the cookie with your server, in your code with php like:

Example:

<?php

  $COOKIESET     = [
   'expires'     => '0'
  ,'path'        => /
  ,'domain'      => 'YOURDOMAIN OR YOURIP'
  ,'secure'      => 'true'
  ,'httponly'    => 'true'
  ,'samesite'    => 'Strict'
  ];

setcookie("NAME",   "VALUE",    $COOKIESET);

?>

Use of SECURE in cookie:

It means the browser will only send the cookie when the current connection is encrypted (SSL/TLS). You only use it with an encrypted connection.

The $_SERVER["HTTPS"] request sometimes gives no result on some webservers so try to use from this post:

How to find out if you're using HTTPS without $_SERVER['HTTPS']

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

or this:


$isSecure = false;
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    $isSecure = true;
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
    $isSecure = true;
}
$REQUEST_PROTOCOL = $isSecure ? 'https' : 'http';

Check this too:

session.cookie_secure with php

FROM :

Can a secure cookie be set from an insecure HTTP connection? If so, why is it allowed?

Secure cookies can be set over insecure channels (e.g. HTTP) as per section 4.1.2.5 of RFC 6265. It explicitly mentions that the Secure flag only provides confidentiality and not integrity, as a Secure flagged cookie can still be set from an insecure channel, overwriting any previously set value (via a secure channel or otherwise):

Use of HttpOnly in cookie:

An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.

Z0OM
  • 1
  • 4
  • 18
  • 29
0

The secure parameter for setcookie() will indicate the client/browser, to send the cookie only on HTTPS requests.

However, the cookie will be set on the client, even if you are not using HTTPS. This is where you might make usage of $_SERVER["HTTPS"], to check if you realy should send the cookie with the response of your server.

But on all requests from the client using only HTTP the cookie information will be missing.

JanMalte
  • 934
  • 6
  • 17