Add secure flag to cookie for HTTPS sites

Question

Add secure flag to cookie for HTTPS sites

mberkowski opened this issue 8 years ago · 5 comments

While assisting with a site that has incorporated this project, I noticed that the CSRF cookie is set without the secure flag. As a feature request, consider setting the secure flag in the setcookie() call when the code can detect it is running under HTTPS (via $_SERVER['HTTPS'] for example) or as a configurable option.

Answer 1 · 2016-10-11T16:25:09.000Z

Yeah that's good if the application is https only, which sadly isn't a generic case as of now. Check this thread #48, there was a PR for the same. You could use it though if the app is actually https only.

Answer 2 · 2016-10-11T16:34:00.000Z

The tight coupling to port 443 is problematic in that PR. There is risk though for sites that aren't guaranteed https all the time, so perhaps a default-off configuration option instead.

Answer 3 · 2016-10-11T16:38:17.000Z

yeah it can be made configurable with default off.

Answer 4 · 2016-10-11T16:42:44.000Z

feel free to send a PR, with config value as something like httpsOnly let's say

Answer 5 · 2016-11-04T14:23:12.000Z

Implemented with 6f12262