Just received the results of a security audit – everything clear apart from two things
Session cookie without http flag.
Session cookie without secure flag set.
The application is coded in php and the suggestions to fix are:
- set session cookie with http only flag
- set session cookie with secure flag
I have looked at examples but don’t fully understand how to implement on a Linux server. I don’t have access to the .ini file . Is it possible to set these in the htaccess file?
Alternatively, how and where do I implement in the code?
Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:
php_value session.cookie_httponly 1 php_value session.cookie_secure 1
Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place…).
You can set them before you send the header. Just add these line below in you code.
I know this specifically said they do not have access to the .ini file but for those who get here via search results the .ini settings look like:
session.cookie_httponly = 1 session.cookie_secure = 1
The cookie_secure is already present by default in most ini files but commented out. So uncomment that line and set the 1.
The httponly line is also already present but not commented out but defaults to 0. So you must hunt it down and set it.