Is session.cookie_secure in php.ini automatic?

AllThisOnAnACER picture AllThisOnAnACER · Sep 10, 2014 · Viewed 8.7k times · Source

Simple answer requested: If I put

session.cookie_httponly=On
session.cookie_secure=On 

in the php.ini file for my website, will that automatically turn all the php cookies to secure and httponly, or will I still need to put in true, true into parameter slots 6 and 7 in the cookie itself?

Answer

MrTux picture MrTux · Sep 10, 2014

The answer is yes. Setting this in php.ini is enough (however, I only saw "True" as the setting used instead of "On").

You can verify this by setting these values, restarting your webserver and accessing your site with a browser, e.g. Firefox. Then open "site information", and choose "security" tab and click on cookies. There you can see if it's marked as secure.