Unsecure Cookie

[Timothy de Vos]

I recently had one of my website's tested on security and the following error came out. 

The following cookie does do not have the Secure cookie flag: 
Cookie name: wire, Path: /, Secure Flag: 0 

Can anybody explain to me what this means and what the security risk are here?

 

[kixe]

If you have a SSL certificate for your domain (https) the wire cookie is set with the secure flag by default. Have a look in wire/config.php

/**
 * Use secure cookies when on HTTPS?
 *
 * When enabled, separate sessions will be maintained for
 * HTTP vs. HTTPS. This ensures the session is secure on HTTPS.
 * The tradeoff is that switching between HTTP and HTTPS means
 * that you may be logged in on one and not the other.
 *
 * 0 or false: secure cookies off
 * 1 or true: secure cookies on (default)
 *
 * @var int
 *
 */
$config->sessionCookieSecure = 1; 

In the .htaccess file you can force using https:

  # -----------------------------------------------------------------------------------------------
  # 9. If you only want to allow HTTPS, uncomment the RewriteCond and RewriteRule lines below.
  # -----------------------------------------------------------------------------------------------
  # RewriteCond %{HTTPS} off
  # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  #

If the flag is enabled, the browser (should) send the cookie only via https.

[Timothy de Vos]

@kixe Thanks for the quick reply. So if i change to https the error should be gone?