Jump to content

Unsecure Cookie


Timothy de Vos
 Share

Recommended Posts

If you have a SSL certificate for your domain (https) the wire cookie is set with the secure flag by default. Have a look in wire/config.php

/**
 * Use secure cookies when on HTTPS?
 *
 * When enabled, separate sessions will be maintained for
 * HTTP vs. HTTPS. This ensures the session is secure on HTTPS.
 * The tradeoff is that switching between HTTP and HTTPS means
 * that you may be logged in on one and not the other.
 *
 * 0 or false: secure cookies off
 * 1 or true: secure cookies on (default)
 *
 * @var int
 *
 */
$config->sessionCookieSecure = 1; 

In the .htaccess file you can force using https:

  # -----------------------------------------------------------------------------------------------
  # 9. If you only want to allow HTTPS, uncomment the RewriteCond and RewriteRule lines below.
  # -----------------------------------------------------------------------------------------------
  # RewriteCond %{HTTPS} off
  # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  #

If the flag is enabled, the browser (should) send the cookie only via https.

  • Like 3
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...