Reputation: 313
PHP session.cookie_secure: Disables sessions when set to true
When I set the following config:
ini_set("session.cookie_secure", 1);
My whole application's session disables and I can no longer write to or read from session variables.
$sessionName = "us";
session_name($sessionName);
ini_set('session.cookie_httponly', 1);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', 1);
// ini_set('session.cookie_secure', 1);
session_start();
session_regenerate_id();
Is this config compatible with session.cookie_secure? PHP Manual doesn't seem to have explanation of all these configs. Manual
Upvotes: 5
Views: 23851
Answers (2)
Reputation: 3461
Setting session.cookie_secure to true means that it will only send the session cookie over a secure connection aka (SSL)
If you aren't using SSL then you won't be sending the session cookie in your requests
Read the PHP manual about session.cookie_secure.
Upvotes: 2
Reputation: 4680
session.cookie_secure specifies whether cookies should only be sent over secure connections (HTTPS). If you're using HTTP, you won't get any cookies from the server. That's why you don't have a session.
edit: I should be more accurate. You get the cookies, but your browser doesn't send them to the server, because you're not using a secure connection.
Upvotes: 20
Related Questions
- Setting secure session cookies in php
- Session missing except when I use an "unsafe" cookie
- php session and cookies destroy
- Php cannot read secure cookies
- Session not set when set session.cookie_secure = 1
- PHP - Session already started - ignoring session_start (but doesn't do just that)
- PHP session.cookie_secure does not actually set the cookie to secure
- Why doesn't session work when cookie is disabled?
- Consequences of turning off session.cookie_secure in PHP
- Secure cookies in PHP sessions