Level 67
Do you have encrypt set to true or secure set to true in the session config?
Mar 2, 2017
4
Level 2
Session Cookies not secure..
I've just spun a Spark/Laravel 5.4 site and deployed the alpha to one of my Forge provisioned boxes and used Lets Encrypt for SSL.
I decided to let Mozilla Observatory have at it for security and it came back an "F". It got really dinged on the Session cookies not being secure. Inspecting the cookies with Chrome Developer Tools does indeed show they are not secure.
It also got flagged on some stuff I can do with the server.
However, I'm not a real security geek so any thoughts from the wise on making session cookies secure?
Thanks, Richard
Level 2
Thanks @Cronix
I had relied on the statement from the 5.4 docs
Cookies & Encryption
By default, all cookies generated by Laravel are encrypted and signed so that they can't be modified or read by the client.
and mistaking the encryption to also mean secure as well, however looking at my source, in session config, it's set to false.
Thanks for the pointer and being wise.
Level 2
So quick env addition on the https staging site &(& prod).
SESSION_SECURE_COOKIE=true
and voila. Just the HSTS and CSP to fix now :)
Thanks for the help guiding @Cronix
Level 4
This is an old thread but I noticed that until today the default in Laravel is still to not use the secure flag in cookies and I was wondering why and how come...? Anybody knows?
3 likes
Please or to participate in this conversation.