Timothy de Vos

Unsecure Cookie

3 posts in this topic

I recently had one of my website's tested on security and the following error came out. 

The following cookie does do not have the Secure cookie flag: 
Cookie name: wire, Path: /, Secure Flag: 0 

Can anybody explain to me what this means and what the security risk are here?

 

Share this post


Link to post
Share on other sites

If you have a SSL certificate for your domain (https) the wire cookie is set with the secure flag by default. Have a look in wire/config.php

/**
 * Use secure cookies when on HTTPS?
 *
 * When enabled, separate sessions will be maintained for
 * HTTP vs. HTTPS. This ensures the session is secure on HTTPS.
 * The tradeoff is that switching between HTTP and HTTPS means
 * that you may be logged in on one and not the other.
 *
 * 0 or false: secure cookies off
 * 1 or true: secure cookies on (default)
 *
 * @var int
 *
 */
$config->sessionCookieSecure = 1; 

In the .htaccess file you can force using https:

  # -----------------------------------------------------------------------------------------------
  # 9. If you only want to allow HTTPS, uncomment the RewriteCond and RewriteRule lines below.
  # -----------------------------------------------------------------------------------------------
  # RewriteCond %{HTTPS} off
  # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  #

If the flag is enabled, the browser (should) send the cookie only via https.

2 people like this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.