Hi all, It came to my attention through the Netcraft newsletter[1] that cookies in a web application are not always sent encrypted when a server is contacted through HTTPS.
Looking at the setcookie()[2] documentation, there is effectively a specific parameter (set to false by default). The description of this parameter says: "Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"])." This part is clear. No problem with that. However, my application relies on the session_start()[3] function, which doesn't say anything about the potential differences in behaviour between a secure and a non-secure connection (ie HTTPS or HTTP) when the session identifier is set to be passed through cookies. However, the session ID is still passed through a cookie, so somehow the cookie must be set with a decision on whether the mode is secure or not. Would someone know the internals of that function and whether there is a way to force it to secure=true when the connection is made through HTTPS? Or maybe my question doesn't make sense because I am missing the point on how it works? I develop an open-source application which can be used through both HTTP and HTTPS, so I'm a bit worried about not having this question answered in the doc for session_start(). Thanks, Yannick Warnier [1] http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html [2] http://www.php.net/setcookie [3] http://www.php.net/session-start -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
