Fun Snags with Drupal Cookies

Shortly after Drupal fixed their issues with cookie demotion, I applied the patch. Unfortunately, since I run both http and https on my site, when I added ini_set('session.cookie_secure', 1) to my settings.php, it caused cookies for my site to get marked as secure even for http visitors. This had the side effect of breaking comments for my site, since the captcha module could not track users that properly solved it. Some of you noticed and contacted me, thanks for the heads up. Check below the fold for some suggestions and solutions for flagging Drupal and other php-based session cookies as secure for mixed sites.

The fix is to throw this in your settings.php instead:

if ($_SERVER['HTTPS']) {
  ini_set('session.cookie_secure', 1);

You could also opt for doing something similar with separate virtual hosts and per-host php.ini files or .htaccess files, and the ask apache site does a pretty good job of laying out most of these options. Unfortunately, since I use fastcgi to launch my php, the .htaccess and local php.ini files are ignored, as are directives in the virtual host entries in httpd.conf, so I am pretty much stuck with either instructing Drupal to set the PHP pref, or making a special wrapper for each virtual host I have. I chose the Drupal route. If anyone would care to comment on getting fastcgi based setups working without the need to create a wrapper for each virtual host, I'm sure it would be appreciated.

To get you started, the syntax for the php.ini setting is:

And for .htaccess or httpd.conf, it is:
php_flag session.cookie_secure On

does this force the https for authenticated sessions?

as said at (Securing Drupal for authenticated users) the goal would be to protect all the authenticated sessions with SSL

this way could I login with normal HTTP?

in this case, what else should I set to obtain the desired result? I'm a simple end user, so this topic is already highly difficult to me, and I will thankful for any help or reference


Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
  ____        _  __  __  ____     ____ 
| _ \ | | \ \/ / | _ \ / ___|
| |_) | _ | | \ / | |_) | | | _
| __/ | |_| | / \ | _ < | |_| |
|_| \___/ /_/\_\ |_| \_\ \____|
Enter the code depicted in ASCII art style.