In my php.ini confirmed I have:
session.cookie_secure = 1
Also, doing:
<?php print_r(session_get_cookie_params()); ?>
Results in:
Array ( [lifetime] => 0 [path] => / [domain] => [secure] => 1 [httponly] => 1 )
However, inspecting a page in my application with Chrome Developer tools, going to cookies, it lists that sessions cookie is not secure, and not http only.
分享 Similar to my answer in another question, Chrome developer tools always show blank Secure and HTTP attributes when the cookie is sent in the request. This is because the fact that a cookie is secure or HTTP only is not actually sent in a HTTP request. All that is sent is the name/value pair in the Cookie HTTP request header:
Cookie: name=value
Try an extension such as Edit This Cookie which will show whether the cookie has been successfully set as secure and HTTP Only.
分享
