Simple answer requested: If I put
session.cookie_httponly=On session.cookie_secure=On
in the php.ini file for my website, will that automatically turn all the php cookies to secure and httponly, or will I still need to put in true, true into parameter slots 6 and 7 in the cookie itself?
Advertisement
Answer
The answer is yes. Setting this in php.ini is enough (however, I only saw “True” as the setting used instead of “On”).
- Session Cookie without HttpOnly flag set
- https://www.owasp.org/index.php/HttpOnly#Using_PHP_to_set_HttpOnly
You can verify this by setting these values, restarting your webserver and accessing your site with a browser, e.g. Firefox. Then open “site information”, and choose “security” tab and click on cookies. There you can see if it’s marked as secure.