By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,949 Members | 1,869 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,949 IT Pros & Developers. It's quick & easy.

usage of session.cookie_secure

P: n/a
i'm setting session.cookie_secure = "on" via .htaccess and it works -
confirmed by phpinfo(). this i tought enforces a secure transmission
of the session-id.

as far as i can see, the session cookie gets set, but i don't seem to
be able to store any vars in the session? am i missing something?

any help appreciated, micha
Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
i'm setting session.cookie_secure = "on" via .htaccess and it works -
confirmed by phpinfo(). this i tought enforces a secure transmission
of the session-id.

as far as i can see, the session cookie gets set, but i don't seem to
be able to store any vars in the session? am i missing something?


Are you sure that your pages are over HTTP_S_?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #2

P: n/a
ng**********@rediffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<ab**************************@posting.google. com>...
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
i'm setting session.cookie_secure = "on" via .htaccess and it works -
confirmed by phpinfo(). this i tought enforces a secure transmission
of the session-id.

as far as i can see, the session cookie gets set, but i don't seem to
be able to store any vars in the session? am i missing something?


Are you sure that your pages are over HTTP_S_?


sorry for not answering for so long.

well, the browser tells me that the session cookie is accepted only
via a secure transmission.
i did some more testing and noticed that the session-id in the cookie
changes whenever i call the session again - i suppose it doesn't
change on the server, and that's why the id's don't match and the
variable don't get registered properly.

so is the changing of the id part of the security or just weird
behavior?

micha
Jul 17 '05 #3

P: n/a
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
<snip>
well, the browser tells me that the session cookie is accepted only
via a secure transmission.
You mean via https?
i did some more testing and noticed that the session-id in the cookie
changes whenever i call the session again - i suppose it doesn't
change on the server, and that's why the id's don't match and the
variable don't get registered properly.


Have you enabled full error reporting? BTW, what is your version and OS?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com
Jul 17 '05 #4

P: n/a
ng**********@rediffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<ab**************************@posting.google. com>...
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
<snip>
well, the browser tells me that the session cookie is accepted only
via a secure transmission.


You mean via https?
i did some more testing and noticed that the session-id in the cookie
changes whenever i call the session again - i suppose it doesn't
change on the server, and that's why the id's don't match and the
variable don't get registered properly.


Have you enabled full error reporting? BTW, what is your version and OS?


well, there are no error messages, the variables just don't register.

whenever i enable session.use_trans_sid and the id gets transmitted
via the url, the sessions work, because then the same id is used
every time. i suppose that whenever i use secure session cookies and
no trans_sid, the id on the server remains the same, while the id in
the cookie changes with every session call, so they match for the
first script, but not further.

the whole thing is under php 4.2.2, apache 1.3.26 on linux knuth
2.4.19
Jul 17 '05 #5

P: n/a
i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.
Jul 17 '05 #6

P: n/a
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
ng**********@rediffmail.com (R. Rajesh Jeba Anbiah) wrote in message news:<ab**************************@posting.google. com>...
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
<snip>
well, the browser tells me that the session cookie is accepted only
via a secure transmission.


You mean via https?
i did some more testing and noticed that the session-id in the cookie
changes whenever i call the session again - i suppose it doesn't
change on the server, and that's why the id's don't match and the
variable don't get registered properly.


Have you enabled full error reporting? BTW, what is your version and OS?


well, there are no error messages, the variables just don't register.

whenever i enable session.use_trans_sid and the id gets transmitted
via the url, the sessions work, because then the same id is used
every time. i suppose that whenever i use secure session cookies and
no trans_sid, the id on the server remains the same, while the id in
the cookie changes with every session call, so they match for the
first script, but not further.

the whole thing is under php 4.2.2, apache 1.3.26 on linux knuth
2.4.19


Unfortunately, you didn't answer my questions _or_ I couldn't
understand your answers.

1. Is your pages are over httpS? If not, what do you mean by secure
cookie transmission?
2. Have you enabled full error reporting? if not, add the following
two lines in the beginning of your script and then retry.
error_reporting(E_ALL);
ini_set('display_errors', 1);
3. Post a small piece of your code which causes the problem.
4. What is your client browser/OS?
5. Post your session settings (found in INI file).

I'm going for weekend rest; I'll be back Monday evening. If you post
these details, I'm sure someone here might help you.

--
"Believe it or not, patriotism is one of the worst dividing forces"
Email: rrjanbiah-at-Y!com
Jul 17 '05 #7

P: n/a
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.


I assume secure cookies are only sent when you're using a https
connection. E.g. if you use plain http, they never reach the client's
browser.

I may very well be wrong here, never seen anyone state what the secure
flag means, but the questions from other people tryin to help you
seems to confirm this.
Jul 17 '05 #8

P: n/a
te*******@hotmail.com (Droolboy) wrote in message news:<36*************************@posting.google.c om>...
ch*********@web.de (chotiwallah) wrote in message news:<78*************************@posting.google.c om>...
i just tested under php 4.2.3 on apache 1.3.24/win2k - same problem.


I assume secure cookies are only sent when you're using a https
connection. E.g. if you use plain http, they never reach the client's
browser.

I may very well be wrong here, never seen anyone state what the secure
flag means, but the questions from other people tryin to help you
seems to confirm this.

well, i did some more reading...

it seems that secure session cookies work only if the whole page is
send via https - which is exactly the thing i was trying to avoid.
nevertheless, thanks for all the help.

micha
Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.