Re: Option to limit PHPSESSID cookie to https?
Reply #1 –
After looking deeper into Session.php, I think it should work if we add something like this:
@ini_set('arg_separator.output', '&');
// Secure PHPSESSIONID
if (parse_url($boardurl, PHP_URL_SCHEME)==='https')
@ini_set('session.cookie_secure', true);
But there is also code "to stop people from using bad junky PHPSESSIDs" in there, so I am not sure whether adding this is necessary or otherwise redundant, though my guess is securing it via https is better, if https is already used in the url.
What do you all think?