Home > Enterprise >  Meaning of PHP setcookie() parameter secure
Meaning of PHP setcookie() parameter secure

Time:07-03

So I did some digging and did not find a satisfactory answer to my question concerning the PHP setcookie() parameter secure. The documentation says the following:

Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to true, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

What I do not understand is the last part. What is meant by "On the server-side[...]"?

I did some testing and on my local machine, cookies are set even without https when secure is set to true. On my webserver, they are not. So does the browser consider localhost to be secure even without https?

I both set secure to true and check $_SERVER["HTTPS"] to be on the safe side, but I would like to know what exactly secure does, or rather what it does not do.

Best wishes and thanks!

CodePudding user response:

The secure parameter for setcookie() will indicate the client/browser, to send the cookie only on HTTPS requests.

However, the cookie will be set on the client, even if you are not using HTTPS. This is where you might make usage of $_SERVER["HTTPS"], to check if you realy should send the cookie with the response of your server.

But on all requests from the client using only HTTP the cookie information will be missing.

CodePudding user response:

You set the cookie with your server, in your code with php like:

Example:

<?php

  $COOKIESET     = [
   'expires'     => '0'
  ,'path'        => /
  ,'domain'      => 'YOURDOMAIN OR YOURIP'
  ,'secure'      => 'true'
  ,'httponly'    => 'true'
  ,'samesite'    => 'Strict'
  ];

setcookie("NAME",   "VALUE",    $COOKIESET);

?>

Use of SECURE in cookie:

It means the browser will only send the cookie when the current connection is encrypted (SSL/TLS). You only use it with an encrypted connection.

The $_SERVER["HTTPS"] request sometimes gives no result on some webservers so try to use from this post:

How to find out if you're using HTTPS without $_SERVER['HTTPS']

function isSecure() {
  return
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;
}

or this:


$isSecure = false;
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    $isSecure = true;
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
    $isSecure = true;
}
$REQUEST_PROTOCOL = $isSecure ? 'https' : 'http';

Check this too:

session.cookie_secure with php

FROM :

Can a secure cookie be set from an insecure HTTP connection? If so, why is it allowed?

Secure cookies can be set over insecure channels (e.g. HTTP) as per section 4.1.2.5 of RFC 6265. It explicitly mentions that the Secure flag only provides confidentiality and not integrity, as a Secure flagged cookie can still be set from an insecure channel, overwriting any previously set value (via a secure channel or otherwise):

Use of HttpOnly in cookie:

An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server.

  • Related