I want to set the httponly and secure flag true in my code but when i am trying to set that cookie. In that case cookie is not created and am unable to login to site.
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
session_name('sim');
$_SESSION['nons']=rand(1,999999999);
$value=md5($_SERVER["REMOTE_ADDR"]." ".$_SERVER["HTTP_USER_AGENT"]." ".$_SESSION['nons']);
$_SESSION['sim']=$value;
session_start();
session_regenerate_id();
This is the code which is using to create the session cookie after removing the below line code will work perfectly
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
But for security purpose i need to set the cookie flag one
Advertisement
Answer
The secure flag means “This cookie is only valid over HTTPS”.
You are using HTTP (without the S).
This means the cookie is invalid and the browser is correctly ignoring it.
You can’t require that cookies be secure if your communication channel isn’t.