secure flag prevents the browser from submitting the cookie in unsecured HTTP requests, preventing an attacker that is eavesdropping the connection from accessing that cookie.
SSL cookie without Secure flag
A flag without the
secure flag set will always be sent on every HTTP request that matches the scope of cookie. What this means is that if your site inadvertently makes an HTTP request (i.e. without encryption), this request will carry the cookie and any attacker that can eavesdrop the victim traffic will be able to read that cookie.
If the cookie in question is the session cookie, the attacker will be able to hijack the victim account.
Add the following to
@ini_set(‘session.cookie_httponly’, true); @ini_set(‘session.cookie_secure’, true); @ini_set(‘session.use_only_cookies’, true);
That’s it, you’re done.