I am learning session and cookie configuration of php.
I set up a php running in apache2 server in my localhost.
I try to use a tool insomnia to send a GET request to the end point(http://localhost:8000/test.php) with the script below.
<?php
session_start(['cookie_secure' => true]);
if (isset($_SESSION['token'])) {
exit($_SESSION['token']);
}
$_SESSION['token'] = bin2hex(random_bytes(32));
exit;
After the first request, I manage to get the session cookie and set the $_SESSION['token'].
When I send the second request, I did not manage to receive the token. The reason is the session cookie is not received by the php.
My question is who actually discard the cookie in the second request? insomnia or php or apahce2?
Insomnia would have dropped it because you flagged the cookie as secure then used HTTP instead of HTTPS.