Search code examples
phpcookies

Does php send a cookie to localhost with HTTP when session_start() with cookie_secure equal to true?

If I start a session like below for a server and a localhost client try to request the server via HTTP, does it response with the session cookie?

or must it go through HTTPS?

I read the doc and it did say only through HTTPS, but I wonder if localhost is an exception.

session_start([
    'cookie_secure' => true
]);
Solution

  • Yes, it does:

    Network pane in browser developer tools

    If you try this in a browser, you'll also see a warning saying that the cookie was rejected.

    This makes sense because PHP has no control on the entire communication channel and it's possible that the end-user is connecting to a secure proxy that redirects internally to a non-encrypted HTTP server.