CakePHP cookies are not secure and not httponly

Question

Cookies in my app are not secured and not http only, but they are configured exactly as in example on CakePHP Book 2.0 - Session Configuration.

Configure::write('Session', array(
        'defaults' => 'php',
        'timeout' => 30,
        'cookieTimeout' => 30,
        'ini' => array(
            'session.cookie_secure' => true,
            'session.cookie_httponly' => true
        )
    ));

I am using SSL so this should be done automatically, but it's not happening, not even when I set this manually, see the code above. Cookie timeouts work well.

Any ideas? Thank you very much!

score 0 · Answer 1 · answered Feb 26 '15 at 13:24

0

Here you have used default parameter is 'PHP' in this case your application takes timeout of main PHP configuration like from php.ini file. you can set it 'cake' to control your session scope.

answered Feb 26 '15 at 13:24

Mumtaz Ahmad

422
5
12

Thank you for comment, but it didn't solved my problem. I have changed 'defaults' parameter to 'cake' but all the cookies are still unsecured and not httponly. – wewo Feb 26 '15 at 14:34

CakePHP cookies are not secure and not httponly

1 Answers1