php.ini set session cookie secure

Question

I have read some security post on session. Although I configure most of it in php.ini in my shared host, some I can't.

1) I cannot find session.cookie_secure and session.cookie_httponly in my php.ini, since I'm still new to PHP I don't want to just add those two lines in the file without knowing any consequences. Alternatively, I used a approach by editing .htaccess. Not sure does it work or not.

IfModule php5_module<br>
php_flag session.cookie_secure on<br>
php_flag session.cookie_httponly on<br>
/IfModule<br><br>

Is this method alright?

2) Currently I am running version 5.3.28 and php.net stated session.entropy_file support many unix system but only start supporting Windows after 5.3.3 which exceed my version. The default php.ini has this:

;session.entropy_length = 16  
;session.entropy_file = /dev/urandom

Should I concern or am I worrying too much?

3) Should I use setcookie or setrawcookie?

4) I am following Securely creating and destroying login sessions in PHP for security, is there anymore I need to put into consideration?

Answer 1

1) Those should definitely be in your php.ini file, however they will be commented out meaning they start with a ; you need to uncomment them. If for some reason they aren't there (They will be) you can add them safely.

2) I would not start altering entropy values without a decent knowledge of cryptography and security, the defaults will be fine.

3) You should probably use setcookie() since it will URL encode, which you probably want.

4) Yes you need to take this into consideration, very much so. Security should never be an afterthought, read all the material in the post and if you don't understand it browse about a bit. There are plenty of excellent resources online and I really recommend reading through OWASP.