Cookies sent over HTTP instead of SSL

Question

I'm using IPB and I run my site over SSL (HTTPS) fully functional, but I have an issue. Basically cookies does not have the parameter "https only" / "secure", which is pretty essential in case that SSL turns off, which then the cookie cannot be transfered over HTTP (plain text). I've read an article on how to do it, but it doesn't work that way with IPB. Here's how it's set:

 Line 4227:    @setcookie( $_name, $value, $expires, $_path, $_domain . '; HttpOnly' );
 Line 4231:    @setcookie( $_name, $value, $expires, $_path );
 Line 4236:    @setcookie( $_name, $value, $expires, $_path, $_domain, NULL, TRUE );
 Line 4241:    @setcookie( $_name, $value, $expires, $_path, $_domain );

_{(source: gyazo.com)}

How can I enforce the "secure" parameter?

Answer 1

It's right in the setcookie() documentation. Set parameter #6 to TRUE:

@setcookie( $_name, $value, $expires, $_path, $_domain, TRUE, TRUE );
                                                        ^-#6 secure
                                                              ^-#7 httponly

Answer 2

For the session cookie, you can set the defaults in your PHP.INI file:

session.cookie_httponly = On
session.cookie_secure = On

Or you can set these at run time before starting the session.

session_set_cookie_params($expires, $_path, $_domain, TRUE, TRUE);
session_start();

For all other cookies, you will need to use the parameters of the setcookie function.

setcookie($_name, $_value, $expires, $_path, $_domain, TRUE, TRUE);

Note that the httponly parameter (the last one) was added in PHP 5.2.0.