Skip to content

Does php send a cookie to localhost with HTTP when session_start() with cookie_secure equal to true?

If I start a session like below for a server and a localhost client try to request the server via HTTP, does it response with the session cookie?

or must it go through HTTPS?

I read the doc and it did say only through HTTPS, but I wonder if localhost is an exception.

    'cookie_secure' => true



Yes, it does:

Network pane in browser developer tools

If you try this in a browser, you’ll also see a warning saying that the cookie was rejected.

This makes sense because PHP has no control on the entire communication channel and it’s possible that the end-user is connecting to a secure proxy that redirects internally to a non-encrypted HTTP server.

User contributions licensed under: CC BY-SA
9 People found this is helpful