Search code examples
phpsslipb

Cookies sent over HTTP instead of SSL

I'm using IPB and I run my site over SSL (HTTPS) fully functional, but I have an issue. Basically cookies does not have the parameter "https only" / "secure", which is pretty essential in case that SSL turns off, which then the cookie cannot be transfered over HTTP (plain text). I've read an article on how to do it, but it doesn't work that way with IPB. Here's how it's set:

 Line 4227:    @setcookie( $_name, $value, $expires, $_path, $_domain . '; HttpOnly' );
 Line 4231:    @setcookie( $_name, $value, $expires, $_path );
 Line 4236:    @setcookie( $_name, $value, $expires, $_path, $_domain, NULL, TRUE );
 Line 4241:    @setcookie( $_name, $value, $expires, $_path, $_domain );

img
(source: gyazo.com)

How can I enforce the "secure" parameter?

Solution

  • It's right in the setcookie() documentation. Set parameter #6 to TRUE:

    @setcookie( $_name, $value, $expires, $_path, $_domain, TRUE, TRUE );
                                                        ^-#6 secure
                                                              ^-#7 httponly