Jeff Jeff - 7 months ago 55
Linux Question

Session cookies http & secure flag - how do you set these?

Just received the results of a security audit - everything clear apart from two things

Session cookie without http flag.

Session cookie without secure flag set.

The application is coded in php and the suggestions to fix are:

  1. set session cookie with http only flag

  2. set session cookie with secure flag

I have looked at examples but don't fully understand how to implement on a Linux server. I don't have access to the .ini file . Is it possible to set these in the htaccess file?

Alternatively, how and where do I implement in the code?

eis eis

Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).