Sorry for my question, but out of curiosity, what is this code for?
config/session.php
'secure' => env('SESSION_SECURE_COOKIE', true)
What will happen if I set it to false or true?
Description
/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
I know that there's a description already but do you have any specific explanation for this? I just want to understand it as a whole.
There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts.
A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTPS. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this attribute can't offer real protection. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52).
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
Cookies is a small piece of data that a server sends to the user's web browser which it may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example.
When you browsing website, you should notice that there is a lockpad or "Not Secure" label on your left side of address bar... those with lockpad are actually https which is secure http where the communication between you and the server is encrypted... http and https both listening on their own different ports and it is different session.
Some websites, they enable both http and https, by setting this value to true, the server will only receive session cookies if and only if your browser are accessing via HTTPS connection..
