Session cookies http & secure flag - how do you set these?

Question

Just received the results of a security audit - everything clear apart from two things

Session cookie without http flag.

Session cookie without secure flag s

Answer 1

You can set them before you send the header. Just add these line below in you code.

<?php
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

Answer 2

Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).

Answer 3

I know this specifically said they do not have access to the .ini file but for those who get here via search results the .ini settings look like:

session.cookie_httponly = 1
session.cookie_secure = 1

The cookie_secure is already present by default in most ini files but commented out. So uncomment that line and set the 1. The httponly line is also already present but not commented out but defaults to 0. So you must hunt it down and set it.