Hi! >> Could we also add HTTPS detection and enable the secure flag by default >> when a session is established on an HTTPS endpoint?
You can not see if your connection would be HTTPS or not - connection can be terminated on frontend services (like nginx or varnish) that handle https and the pass the actual work to backend like fpm or apache or whatever it is. In this situation, you may have no information about if the connection to the client is HTTPS or not. And in general, AFAIK there is no standard protocol to establishing this kind of info. There are all kinds of ways people do it, but each of them is peculiar for specific setup. I also think it is a mistake to have default behavior controlled by external factors beyond server admin's control. Server behavior should be predictable. The admin should set it up properly, if the admin is not knowledgeable enough to set it up, I don't think we can improve it by introducing variable defaults into the mix. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php