问题
I'm using HTTPS and I would like to set the secure attribute for the PHPSESSID and the other cookies I have created.
session_set_cookie_params(0,'/','', isset($_SERVER["HTTPS"]));
session_start();
$data = session_get_cookie_params();
foreach ($data as $key=>$value) {
echo $key.$value;
}
The function seems to work, in fact, printing out session_get_cookie_params() the secure attribute is equal to 1.
But, when I check my cookie state by Firefox or by Firebug+Firecookie they appear to be not affected at all by the statement. Even changing the domain attribute gives the same results.
I'm working on XAMPP, on Ubuntu and on localhost (localhost should have a special treatment for security issues, maybe). Thanks for your help!
回答1:
Try using a session name when using session_set_cookie_params.
Reference:
PHP session_set_cookie_params
PHP session_name
回答2:
I had the same issue and using session_name() didn't help. I had to disable session_start() generating the cookie and generate the cookie manually like this:
$sessionID = $_COOKIE[session_name()];
ini_set('session.use_cookies', false);
if ($sessionID) session_id($sessionID); // reuse if available
session_start();
// session_set_cookie_params() is not working with a "path" part
// this way every click is extending the session for $timeout more
setcookie(session_name(), $sessionID ?: session_id(), time() + $timeout, $cookiePath, $_SERVER['HTTP_HOST'], false, true);
x-powered-by: PHP/5.4.15
来源:https://stackoverflow.com/questions/11117374/session-set-cookie-params-seems-to-work-but-cookies-are-not-affected