[Split from] SSL, Cookie Secure, etc...

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
gianluigi.zanettini
Registered User
Posts: 111
Joined: Fri Sep 07, 2007 9:09 pm
Location: Ferrara, Italy
Contact:

[Split from] SSL, Cookie Secure, etc...

Post by gianluigi.zanettini »

Very informative topic, thanks!

I'm facing the same situation: my board is accessible both over HTTP and over HTTPS, whatever the user chooses. Currently I can confirm that:
  1. Cookie secure: off - works fine in this scenario
  2. Cookie secure: on - creates problems when the user request the board via HTTP
  3. With Cookie secure: off, the user ALWAYS get plain, unencrypted cookies, even if the negotiation is done via HTTPS
So I'm a bit puzzled, since an insecure cookie defeat the purpose of HTTPS (more a less, let's don't get too fine-detailed!). I'd like to understand: why does the phpBB option Cookie secure exist in the first place? wouldn't it be a better choice to just set the cookie "secure" or "not secure" automatically, switching on HTTP or HTTPS (you just need to change the 6th parameter !)?

Edit: I created a ticket for this.
yaashul
Registered User
Posts: 331
Joined: Mon Apr 17, 2006 3:21 pm
Location: India

Re: [Split from] SSL, Cookie Secure, etc...

Post by yaashul »

Can you please tell us how it can be done in phpbb 3.0.12?
Locked

Return to “[3.0.x] Support Forum”