42 lines
1.7 KiB
Plaintext
42 lines
1.7 KiB
Plaintext
=== on 18 Oct 2016, 16:30:44 Pierre-Yves Nicolas wrote:
|
|
By default, cookies are not secured. It seems that there are several ways to have an impact on that behavior:
|
|
|
|
* through a php.ini configuration: http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure[session.cookie_secure]
|
|
* by changing the configuration inside PHP code with http://php.net/manual/en/function.session-set-cookie-params.php[session_set_cookie_params]
|
|
* when creating a cookie in PHP code: http://php.net/manual/en/function.setcookie.php[setcookie ]
|
|
|
|
|
|
=== on 18 Oct 2016, 16:51:47 Pierre-Yves Nicolas wrote:
|
|
\[~ann.campbell.2] Could you please review this PHP subtask?
|
|
|
|
=== on 18 Oct 2016, 20:04:28 Ann Campbell wrote:
|
|
Looks fine [~pierre-yves.nicolas], but wouldn't a variable named $cookie_security be clearer & allow shorter comments?
|
|
|
|
=== on 20 Oct 2016, 17:18:59 Pierre-Yves Nicolas wrote:
|
|
Sorry [~ann.campbell.2], I don't see how that variable would be used.
|
|
|
|
=== on 20 Oct 2016, 18:44:23 Ann Campbell wrote:
|
|
\[~pierre-yves.nicolas] like so:
|
|
|
|
|
|
----
|
|
; php.ini
|
|
session.cookie_secure = 0 ; Noncompliant
|
|
|
|
$session_cookie_secure = false;
|
|
// in PHP code
|
|
session_set_cookie_params($lifetime, $path, $domain, $session_cookie_secure); // Noncompliant
|
|
|
|
setcookie ($name, $value, $expire, $path, $domain, $session_cookie_secure); // Noncompliant
|
|
----
|
|
|
|
I'm trying to make the code itself more self-explanatory
|
|
|
|
=== on 21 Oct 2016, 08:19:40 Pierre-Yves Nicolas wrote:
|
|
I now understand [~ann.campbell.2]. Of course, it's harder to implement, and requires symbolic execution for the most general case.
|
|
|
|
=== on 21 Oct 2016, 13:23:09 Ann Campbell wrote:
|
|
Ah. And now _I_ understand.
|
|
|
|
include::../comments-and-links.adoc[]
|