Timothy de Vos Posted January 11, 2017 Posted January 11, 2017 I recently had one of my website's tested on security and the following error came out. The following cookie does do not have the Secure cookie flag: Cookie name: wire, Path: /, Secure Flag: 0 Can anybody explain to me what this means and what the security risk are here?
kixe Posted January 11, 2017 Posted January 11, 2017 If you have a SSL certificate for your domain (https) the wire cookie is set with the secure flag by default. Have a look in wire/config.php /** * Use secure cookies when on HTTPS? * * When enabled, separate sessions will be maintained for * HTTP vs. HTTPS. This ensures the session is secure on HTTPS. * The tradeoff is that switching between HTTP and HTTPS means * that you may be logged in on one and not the other. * * 0 or false: secure cookies off * 1 or true: secure cookies on (default) * * @var int * */ $config->sessionCookieSecure = 1; In the .htaccess file you can force using https: # ----------------------------------------------------------------------------------------------- # 9. If you only want to allow HTTPS, uncomment the RewriteCond and RewriteRule lines below. # ----------------------------------------------------------------------------------------------- # RewriteCond %{HTTPS} off # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # If the flag is enabled, the browser (should) send the cookie only via https. 3
Timothy de Vos Posted January 11, 2017 Author Posted January 11, 2017 @kixe Thanks for the quick reply. So if i change to https the error should be gone?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now