I am learning session and cookie configuration of php.
I set up a php running in apache2 server in my localhost.
I try to use a tool insomnia
to send a GET request to the end point(http://localhost:8000/test.php
) with the script below.
<?php
session_start(['cookie_secure' => true]);
if (isset($_SESSION['token'])) {
exit($_SESSION['token']);
}
$_SESSION['token'] = bin2hex(random_bytes(32));
exit;
After the first request, I manage to get the session cookie
and set the $_SESSION['token']
.
When I send the second request, I did not manage to receive the token
. The reason is the session cookie
is not received by the php.
My question is who actually discard the cookie in the second request? insomnia
or php
or apahce2
?
Insomnia would have dropped it because you flagged the cookie as secure then used HTTP instead of HTTPS.