Simple answer requested:
If I put
session.cookie_httponly=On
session.cookie_secure=On
in the php.ini file for my website, will that automatically turn all the php cookies to secure and httponly, or will I still need to put in true, true into parameter slots 6 and 7 in the cookie itself?
The answer is yes. Setting this in php.ini is enough (however, I only saw "True" as the setting used instead of "On").
Session Cookie without HttpOnly flag set
https://www.owasp.org/index.php/HttpOnly#Using_PHP_to_set_HttpOnly
You can verify this by setting these values, restarting your webserver and accessing your site with a browser, e.g. Firefox. Then open "site information", and choose "security" tab and click on cookies. There you can see if it's marked as secure.
Related
I'm using Apache 2.4.41 with PHP 7.4.3.
I've this script that write a session
<?php
// uno.php
session_start();
$_SESSION['chiave'] = 'TEST';
echo session_save_path();
?>
Due
When i click to Due link
<?php
// due.php
session_start();
print_r($_SESSION);
?>
I get that $_SESSION is empty.
Session.save_path is writeable and i see session file.
I see in firefox debug the messagge
Cookie PHPSESSID has been rejected because a non-HTTPS cookie can't be set as secure.
How can i solve this problem?
Thanks
Thanks
You have two options
Be secure
Use HTTPS instead of plain HTTP
Be insecure and tell PHP you don't care.
Keep using HTTP and change the session.cookie_secure option to off (which is its default value but one that must have been changed on your server).
In my Ubuntu server, I modified the php.ini file to try and set my session cookies to http only to be more secure. I modified the line in the php.ini file from session.cookie_httponly = to session.cookie_httponly = 1, but still no success. When I view the inspect the page in chrome, my session cookies are still not flagged httponly. Are there any other steps I am missing to set the httpOnly flag on my session cookies? I've also tried adding ini_set("session.cookie_httponly", 1); before starting sessions, but still no success.
I'm trying to rename my PHP session cookie from PHPSESSID to __Secure-PHPSESSID as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Examples.
Since PHP does not offer this mechanism, I am doing it through Apache server configuration:
RequestHeader edit Cookie ^__Secure-PHPSESSID(.*)$ PHPSESSID$1
Header edit Set-Cookie ^PHPSESSID(.*)$ __Secure-PHPSESSID$1
Header edit Set-Cookie ^(.*)(?<!SameSite=Strict)(?<!SameSite=Lax)$ "$1;SameSite=Lax"
This works correctly in Firefox, Edge, and Safari, but not Chrome. On Chrome, I can see that the cookie is set with the correct name and flags but I cannot log in to my site.
Upon login, the output of var_dump($_SESSION['internal']['user_name']) is NULL on Chrome but shows the correct username on Firefox and other browsers. I can also see that the session ID is being regenerated every time I try to log in and the value is set in the __Secure-PHPSESSID cookie.
I tried removing the SameSite flag (line 3 above) and it still does not work.
Any ideas?
PHP does indeed offer this mechanism. You can change it in php.ini. Just set this and restart the site:
session.name = __SECURE-PHPSESSID
To confirm it's right, restart your browser to clear previous session cookies.
As for Chrome not letting you log in, this page may give you some clues (see "Option Secure" and "Prefixes" sections): https://www.mon-code.net/post/108/Secure-cookie-of-you-web-application-with-PHP-or-Symfony
They are not well known, but supported by all browsers except those of
Microsoft. With prefixes, it's possible to force the browser to not
accept a cookie if it's misconfigured. There are two prefixes
"__Secure-" and "__Host-".
__Secure- forces the developer to add the secure flag to his cookie, otherwise it will be ignored by the browser.
setcookie('__Secure-user_id', 10, 0, '/', 'orion.dev', true);
__Host- is more restrictive, cookie must have the secure flag but also path to root and blank domain.
setcookie('__Host-user_id', 10, 0, '/', '', true);
I'm not familiar with Cookie Prefixes but PHP should support it out of the box:
<?php
session_name('__Secure-PHPSESSID');
session_start();
You can actually achieve it using PHP, changing session.name parameter. You can do it:
using session_name() in your PHP script
in .htaccess file
directly into CPanel table that shows PHP options (if you run CPanel)
Examples:
// Example way 1
session_name('Secure-PHPSESSID');
session_start();
// Example way 2
php_value session.name "Secure-PHPSESSID"
I heard my friend say that I don't have to use session_start() to use $_SESSION in PHP? Is that true? If yes, how do I make it work? If I remove session_start() from my code, I can no longer get $_SESSION to work.
Yes it is possible not to have session_start() calls on top of every page necessarily when you want to work with sessions. Thats the job of session autostart. If you set your session to auto start you can avoid those calls, otherwise you must.
session.auto_start boolean
session.auto_start specifies whether the session module starts a session automatically on request startup. Defaults to 0 (disabled).
So if you set session.auto_start to 1 in your php configuration, you wont need to start session manually.
Manual
P.S: It is working fine for your friend and not for you because he/she has enabled session.auto_start and you haven't touched it and by default it is disabled.
This question already has answers here:
Cookies on localhost with explicit domain
(24 answers)
Closed 9 years ago.
I'm trying to set a session and a cookie for when user logs in.
When the user visits the login page, a session is set and started, with session_start() which is working quite alright, but when the user now fills in the login form (with username and password) and the proper check is done for correct login details, I set the cookie:
$one_week = 60*60*24*7;
setcookie("cookiejarcookie", "cookiejar_value", time()+$one_week, '/', 'localhost');
It's not working, the cookie is not being set. I've tried calling it from the top of the script, but it's not working.
How do I set the cookie after setting the session?
Trying to set a cookie on localhost does not work in most browsers. You need to set the domain value to null, empty string or false. Most recommendations I've seen are to set the domain value to false. With that said, I've never understood writing code like that, as it is not something you're going to deploy to a production environment.
See the recommendation by #David. I personally use virtualization to run a server environment and map fake dns using the hosts file.
One tip I can offer is that you have to open your editor (I use notepad++ or wordpad) as administrator on most recent versions of windows that have UAE in order to edit the relevant hosts file.
From my comment
You cannot set cookies to localhost, but if you add a my.fake.local in your hosts file ( /etc/hosts or c:\Windows\System32\drivers\etc\hosts ) that should work.
add
127.0.0.1 my.fake.local
in the appropriate hosts file.