[adn258]

So this has been driving me crazy and I've used my code on two different servers meaning I'm almost sure this is an error on MY PART not the servers part. In the php.ini file I set code directives like so

session.cookie_secure
session.cookie_httponly
session.use_only_cookies

all to true or 1.

This appears to work fine because when I use phpinfo() you can see these directives turned to on. Then here's what happens.

$_SESSIONS don't work anymore. You can't login to the site. It says you're logged in but no session or session variables are created. Essentially sessions don't work at ALL anymore.

I can't for the life of me figure out why this is happening? Any ideas for you awesome folks here?

[CTphpnwb]

From the manual:

Quote

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off

Do you have an SSL certificate?

Sessions require a cookie (with the session id) to be stored on the client's computer.

[adn258]

CTphpnwb, on 28 November 2012 - 07:30 PM, said:

From the manual:

Quote

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off

Do you have an SSL certificate?

Sessions require a cookie (with the session id) to be stored on the client's computer.

Right I'm supposing I must have them right? Since sessions work JUST FINE when these security php directives are turned off. Am I missing something here?

[adn258]

Sorry to be a bug but does anyone have any idea what this could be? This has been driving me crazy for weeks and I finally brought myself to ask people here?

[Xupicor]

You didn't answer the first question. Do you connect trough "https://..."?

[adn258]

Xupicor, on 01 December 2012 - 01:42 AM, said:

You didn't answer the first question. Do you connect trough "https://..."?

No is that the reason I'm having this issue? I'm using http. How do you use https?

[CTphpnwb]

You buy an SSL certificate. I believe they're $100/year.

[adn258]

CTphpnwb, on 02 December 2012 - 03:32 PM, said:

You buy an SSL certificate. I believe they're $100/year.

Right. Can I use the other PHP ini directives and not use the secure.cookies then?

[Anthonidas]

Well, just don't set the ini directives to use SSL. Review your first post, you should not set them to 1 or true if you don't want to use them...

[adn258]

Anthonidas, on 06 December 2012 - 06:06 AM, said:

Well, just don't set the ini directives to use SSL. Review your first post, you should not set them to 1 or true if you don't want to use them...

So I'm still confused. Are you saying I can still use these directives without SSL because yes I would like to use them and make the server more secure.

[Anthonidas]

If you want to use SSL, you need a certificate, as said by CTphpnwb. If you don't have one, you have to buy it. If you don't want to buy a certificate you mustn't set session.cookie_secure to on. Not really difficult to understand.

The other two directives have nothing to do with SSL, so you still can use them...

[adn258]

Anthonidas, on 08 December 2012 - 04:44 PM, said:

If you want to use SSL, you need a certificate, as said by CTphpnwb. If you don't have one, you have to buy it. If you don't want to buy a certificate you mustn't set session.cookie_secure to on. Not really difficult to understand.

The other two directives have nothing to do with SSL, so you still can use them...

Thanks for your help I appreciate that. So short of packet sniffing attacks against a user which happen on public networks etc. doesn't just setting the other two directives avoid 99% of all the other classic session hijacking techniques? Like of course the classic XSS attacks that steal cookie SID's from javascript? How much more paranoid do I need to be than that since my site isn't about banking or anything super confidential?

Also are there any other techniques that help secure these things without an SSL?

[adn258]

Unless your site is like banking or something is it really necessary to have secure cookies and by settings the other two directives don't you make it hard to impossible for most hacking techniques like XSS to work?

[CTphpnwb]

XSS can work by injecting javascript into HTML regardless of the cookies.