mirror/php-auth
1
0
Fork 0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-08-04 15:17:28 +02:00
Code Issues Releases Wiki Activity

Document 'secure' cookie attribute and how to change it in README

Browse Source
This commit is contained in:
Marco
2017-10-21 22:32:01 +02:00
parent 2ded232d8e
commit 302feb5da2
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -84,6 +84,7 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
* [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies) * [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies)
* [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available) * [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available)
* [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies) * [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies)
* [Configuring transport security for cookies](#configuring-transport-security-for-cookies)
* [Utilities](#utilities) * [Utilities](#utilities)
* [Creating a random string](#creating-a-random-string) * [Creating a random string](#creating-a-random-string)
* [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122) * [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122)
@@ -1007,6 +1008,28 @@ You can change the attribute through one of the following means, in order of rec
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`). For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Configuring transport security for cookies
Using the `secure` attribute, you can control whether cookies should be sent over *any* connection, including plain HTTP, or whether a secure connection, i.e. HTTPS (with SSL/TLS), should be required. The former (less secure) mode can be chosen by setting the attribute to `0`, and the latter (more secure) mode can be chosen by setting the attribute to `1`.
Obviously, this solely depends on whether you are able to serve *all* pages exclusively via HTTPS. If you can, you should set the attribute to `1` and possibly combine it with HTTP redirects to the secure protocol and HTTP Strict Transport Security (HSTS). Otherwise, you may have to keep the attribute set to `0`.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_secure` directive and change its value as desired, e.g.:
```
session.cookie_secure = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_secure` directive as desired, e.g.:
```php
\ini_set('session.cookie_secure', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
### Utilities ### Utilities
#### Creating a random string #### Creating a random string