php - "secure" parameter in session_set_cookie_params

Question

I am interested in learning more about the secure parameter of the function session_set_cookie_params().

Can you tell me how to utilize this properly? If this function is executed on a page that is not secure (but on a server that does have SSL), will it somehow send it securely or do I have to force SSL on the page this function is executed from on my own?

Answer 1

It means that the client will only send that cookie through a secure (HTTPS) connection. This means you'll have to forward the user to a secure URL in order for the cookie to get sent to the server.

You can set a secure cookie through an insecure connection, though you obviously should not (otherwise the value of the cookie may be sniffed). Since a secure cookie can be changed by an insecure connection, you cannot trust that the cookie value was not corrupted by a third party that intercepted and changed the contents of an insecure HTTP request to your site. Therefore, depending on how you're using the secure cookie, you may need to validate its contents.