问题
My config file looks like this:
ini_set('session.cookie_secure',1);
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);
session_start();
//database connection part...
When accessing this page via https://www.mysite.com/config.php, the PHPSESSID cookie it's "Secure" slot is empty. Visiting the page via http://www.mysite.com/config.php shows the exact same cookie, with the same value.
I'm new to this so maybe I'm wrong, but this shouldn't happen, right? What am I doing wrong?
Thanks!
回答1:
The ini_set method requires a string value so update your code to the following:
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.use_only_cookies', '1');
session_start();
回答2:
The session id will be sent to the client regardless of HTTP or HTTPS. You must make this distinction in your code because, apparently, PHP does not.
Fiddle with this on http (not https), leave cookie_secure set to 'on'. You will see that the cookie is transmitted to the client. (Use your favorite cookie analysis here.) But, on reload, the cookie is not submitted back to the server. cookie_secure - the client will transmit the cookie only over a secure connection.
<?php
ini_set('session.cookie_secure','on');
session_name('test');
session_start();
session_regenerate_id();
echo "test: '".$_COOKIE['test']."'";
?>
Change the setting to 'off' and, after the second reload, you will see that the session cookie is transmitted back to the server.
To validate that you on a secure connection and should even call session_start:
<?php
$secure = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] != "" );
if(!$secure) {
$r = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
header("Location: $r");
exit("use https!");
}
//if($secure) {
session_start();
/* and other secure happenings;;; */
//}
?>
or How to find out if you're using HTTPS without $_SERVER['HTTPS']
Note: This looks like a security flaw in PHP, to me, since the session id will be transmitted in cleartext: according to OWASP this is exactly what the SecureFlag is intended to prevent. https://www.owasp.org/index.php/SecureFlag --- I am using PHP 5.5.8 ; Perhaps this is a 'feature' of the language. The definition seems to be directed solely toward the client and not the server.
来源:https://stackoverflow.com/questions/20838605/cookie-still-set-on-http-with-ini-setsession-cookie-secure-1