=== on 18 Oct 2016, 16:30:44 Pierre-Yves Nicolas wrote:
By default, cookies are not secured. It seems that there are several ways to have an impact on that behavior:

* through a php.ini configuration: http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure[session.cookie_secure]
* by changing the configuration inside PHP code with http://php.net/manual/en/function.session-set-cookie-params.php[session_set_cookie_params]
* when creating a cookie in PHP code: http://php.net/manual/en/function.setcookie.php[setcookie ]


=== on 18 Oct 2016, 16:51:47 Pierre-Yves Nicolas wrote:
\[~ann.campbell.2] Could you please review this PHP subtask?

=== on 18 Oct 2016, 20:04:28 Ann Campbell wrote:
Looks fine [~pierre-yves.nicolas], but wouldn't a variable named $cookie_security be clearer & allow shorter comments?

=== on 20 Oct 2016, 17:18:59 Pierre-Yves Nicolas wrote:
Sorry [~ann.campbell.2], I don't see how that variable would be used.

=== on 20 Oct 2016, 18:44:23 Ann Campbell wrote:
\[~pierre-yves.nicolas] like so:


----
; php.ini
session.cookie_secure = 0 ; Noncompliant

$session_cookie_secure = false;
// in PHP code
session_set_cookie_params($lifetime, $path, $domain, $session_cookie_secure); // Noncompliant

setcookie ($name, $value, $expire, $path, $domain, $session_cookie_secure); // Noncompliant
----

I'm trying to make the code itself more self-explanatory 

=== on 21 Oct 2016, 08:19:40 Pierre-Yves Nicolas wrote:
I now understand [~ann.campbell.2]. Of course, it's harder to implement, and requires symbolic execution for the most general case.

=== on 21 Oct 2016, 13:23:09 Ann Campbell wrote:
Ah. And now _I_ understand.

include::../comments-and-links.adoc[]