“secure” parameter in session_set_cookie_params

Question

I am interested in learning more about the secure parameter of the function session_set_cookie_params().

Can you tell me how to utilize thi

Answer 1

It means that the client will only send that cookie through a secure (HTTPS) connection. This means you'll have to forward the user to a secure URL in order for the cookie to get sent to the server.

You can set a secure cookie through an insecure connection, though you obviously should not (otherwise the value of the cookie may be sniffed). Since a secure cookie can be changed by an insecure connection, you cannot trust that the cookie value was not corrupted by a third party that intercepted and changed the contents of an insecure HTTP request to your site. Therefore, depending on how you're using the secure cookie, you may need to validate its contents.