security headers for cookies. secure and httponly?

Question

bnomei opened this issue 7 years ago · comments

i am using kirby for a ssl enabled (letsencrypt, c::set('ssl', true) ) website.
but i get warnings for cookie http headers, whats wrong?

maybe case httpOnly must match or missing semicolon?

Set-Cookie

kirby_session=6u6hb25027kqkud167gkt3ol85; path=/
kirby_session=6u6hb25027kqkud167gkt3ol85; path=/; secure; httponly

Lukas Bestle · Answer 1 · Tue Dec 05 2017 23:59:18 GMT+0800 (China Standard Time)

Well, that's strange. Kirby should not set two cookies, only one. I will investigate.

Sonja Broda · Answer 2 · Wed Dec 06 2017 00:01:45 GMT+0800 (China Standard Time)

However, we had issues with 2 Cookies in the past: https://forum.getkirby.com/t/set-cookie-twice/5444?