I was checking on why my test forum doesn't have a full green padlock when I accidentally looked into its cookie details and found out that its cookie is sent for secure connections only but PHPSESSID is sent for any kind of connection (not secure) even when logged with an admin account.
I am not sure whether this ok (or bad) but I was thinking of why not check if the forum is using https and limit all PHPSESSID cookies to https only. Or if that is too much, may be only limit the administrator's PHPSESSID cookie to https. But may be best if both options are made available.
This may be nothing to worry about in the current way and I also have no idea on how this would benefit the forum users or admins and how to secure PHPSESSID cookie yet.
After looking deeper into Session.php, I think it should work if we add something like this:
// Secure PHPSESSIONID
if (parse_url($boardurl, PHP_URL_SCHEME)==='https')
But there is also code "to stop people from using bad junky PHPSESSIDs" in there, so I am not sure whether adding this is necessary or otherwise redundant, though my guess is securing it via https is better, if https is already used in the url.
What do you all think?
I think I PRed the above solution so it can be immediately added to 1.1.6 if agreeable: https://github.com/elkarte/Elkarte/pull/3303.
It seems a reasonable thing to enable (or try to) when httpS The php manual has
Allow access to the session ID cookie only when the protocol is HTTPS. If a website is only accessible via HTTPS, it should enable this setting.
but I'm far from an expert on all things session related!
Thanks for this @ahrasis
Security is always a top concern.
Using on 3 sites, all working perfectly. 8)
Woops. Seems I spoke too soon. Registration is, in fact, an issue. It leads to this error:
Wrong value type sent to the database. Integer expected. (id_member)
I guess we have to test it some more though my test on a newly installed forum reveals no error.
Edited: I searched and found that your mentioned error is actually an already reported bug (https://www.elkarte.net/community/index.php?topic=5510.0) for 1.1.5 which may have nothing to do with this PHPSESSID security fix. The said bug is already tracked (https://github.com/elkarte/Elkarte/issues/3278) and should be fixed by 1.1.6 patch.
Those who tested this PHPSESSID security fix and have any problems or error with their login or logout session or registration, please do report its outcome.
I'll give that a try. Odd the issue didn't arise until this code was changed. Or perhaps it was just bad luck? I dunno. Will report back soon!
Edit: ah...got it. The error was only thrown if there is a registration error. https cookies work perfectly and the fix in the referenced thread works as well. Cool! 8)
Thank you for updating @badmonkey
. Do report if there is any other problem / error found while using secure PHPSESSID cookie.
If none is further reported, hopefully this can get into 1.1.6 patches as well.