I am trying to currently set it so that my site is secure at least to the point of giving me piece of mind. How do I set
session.cookie_secure =
and
session.cookie_httponly =
I tried 1, True, and On, as values. I restarted apache2 each time. I then went to
https://observatory.mozilla.org/ to check and see if cookies are then sent through https only, yet all three of those values are not working. Am I doing something wrong? Please help I am currently editing the php.ini in "etc/php/7.0/apache2/php.ini" (Dont know if telling you that path poses a security risk but I doubt it)
My Website Is ->
https://www.forgottenninjas.com/
**EDIT** Ok so I am looking at the PHP info in the ACP -> Tools & Maintenance -> View PHP Info and I am noticing both of the session.cookie_secure =, and session.cookie_httponly = are set to "On" though. Yet
https://observatory.mozilla.org/ is saying it is not being flagged as secure. Im super confused
I believe we set most (if not all cookies) with the HTTP header instead of PHP functions so those config values shouldn't be affecting things, unless I'm missing something.
You can hack away at inc/functions.php (my_setcookie function) to add a param for the secure flag and if that's set then append Secure; before the HttpOnly flag.
(2016-11-02, 05:03 AM)Josh H. Wrote: [ -> ]I believe we set most (if not all cookies) with the HTTP header instead of PHP functions so those config values shouldn't be affecting things, unless I'm missing something.
Would it be safe to send a screenshot of the
https://observatory.mozilla.org/? I can if it poses no security risk.
(2016-11-02, 05:05 AM)piecrustyumyum Wrote: [ -> ] (2016-11-02, 05:03 AM)Josh H. Wrote: [ -> ]I believe we set most (if not all cookies) with the HTTP header instead of PHP functions so those config values shouldn't be affecting things, unless I'm missing something.
Would it be safe to send a screenshot of the https://observatory.mozilla.org/? I can if it poses no security risk.
Yeah. I'm pretty sure I know the issues you're talking about though (since I've used the observatory to get my site to A+ there). It's not a security risk if people already know your domain. Anyone can run the test anyways.
This is also something we were talking about on the team before I left, but 1.8.8 was feature frozen by the time I thought about adding the flag, so maybe it could happen in 1.8.9 now that 1.8.8 is dealt with.
(2016-11-02, 05:22 AM)Josh H. Wrote: [ -> ] (2016-11-02, 05:05 AM)piecrustyumyum Wrote: [ -> ] (2016-11-02, 05:03 AM)Josh H. Wrote: [ -> ]I believe we set most (if not all cookies) with the HTTP header instead of PHP functions so those config values shouldn't be affecting things, unless I'm missing something.
Would it be safe to send a screenshot of the https://observatory.mozilla.org/? I can if it poses no security risk.
Yeah. I'm pretty sure I know the issues you're talking about though (since I've used the observatory to get my site to A+ there). It's not a security risk if people already know your domain. Anyone can run the test anyways.
This is also something we were talking about on the team before I left, but 1.8.8 was feature frozen by the time I thought about adding the flag, so maybe it could happen in 1.8.9 now that 1.8.8 is dealt with.
So as it is now what should I do? Should I wait for MyBB to come out with those security features or attempt at doing it myself? I preferred as soon as possible but I have absolutely no schooling under my belt on how this stuff works and everything I have learned thus far is from googling alot and knowing how to use google well lol
I wish they had built in spoilers lol but here is the gyazo of the whole observatory **REMOVED BY POSTER**
Setting cookies with the
Secure flag will be possible in MyBB 1.8.9 and you can implement this feature by applying these changes:
https://github.com/mybb/mybb/pull/2468/files (skip
install/resources/upgrade37.php and instead of modifying
install/resources/settings.xml add a setting with same parameters).
MyBB already takes advantage of
httpOnly for ACP session cookies; if we wanted to extend this coverage we'd have to make sure other cookies are not being accessed with JavaScript in the core or in popular plugins.