I was checking on why my test forum doesn't have a full green padlock when I accidentally looked into its cookie details and found out that its cookie is sent for secure connections only but PHPSESSID is sent for any kind of connection (not secure) even when logged with an admin account.
I am not sure whether this ok (or bad) but I was thinking of why not check if the forum is using https and limit all PHPSESSID cookies to https only. Or if that is too much, may be only limit the administrator's PHPSESSID cookie to https. But may be best if both options are made available.
This may be nothing to worry about in the current way and I also have no idea on how this would benefit the forum users or admins and how to secure PHPSESSID cookie yet.
After looking deeper into Session.php, I think it should work if we add something like this:
@ini_set('arg_separator.output', '&');
// Secure PHPSESSIONID
if (parse_url($boardurl, PHP_URL_SCHEME)==='https')
@ini_set('session.cookie_secure', true);
But there is also code "to stop people from using bad junky PHPSESSIDs" in there, so I am not sure whether adding this is necessary or otherwise redundant, though my guess is securing it via https is better, if https is already used in the url.
What do you all think?
I think I PRed the above solution so it can be immediately added to 1.1.6 if agreeable: https://github.com/elkarte/Elkarte/pull/3303.
It seems a reasonable thing to enable (or try to) when httpS The php manual has
but I'm far from an expert on all things session related!
Thanks for this
@ahrasis Security is always a top concern.
Using on 3 sites, all working perfectly. 8)
Woops. Seems I spoke too soon. Registration is, in fact, an issue. It leads to this error:
Wrong value type sent to the database. Integer expected. (id_member)
Thanks
@ahrasis I'll give that a try. Odd the issue didn't arise until this code was changed. Or perhaps it was just bad luck? I dunno. Will report back soon!
Edit: ah...got it. The error was only thrown if there is a registration error. https cookies work perfectly and the fix in the referenced thread works as well. Cool! 8)
Thank you for updating
@badmonkey. Do report if there is any other problem / error found while using secure PHPSESSID cookie.
If none is further reported, hopefully this can get into 1.1.6 patches as well.