Document SESSION_SECURE_COOKIE

[bluecmd]

Hi,

I recently realized that IXP-Manager by default does not seem to set the secure bit on session cookies.
After digging around I found it is possible to enable this by setting SESSION_SECURE_COOKIE but I didn't find this mentioned anywhere in the docs or example .env files.

What do you think about setting this setting by default - or at least mentioned in the .env-files?

[barryo]

Hi @bluecmd,

so just for anyone else reading this, the functionality here is:

    | By setting this option to true, session cookies will only be sent back
    | to the server if the browser has a HTTPS connection. This will keep
    | the cookie from being sent to you if it can not be done securely.

It's a Framework config and here's Laravel's current version which is NULL by default.

I'm definitely happy to document it. I think I'm also happy to default it in the next release - the internet landscape is moving to https only and we should be along for the ride.

Just as an aside - the cookies are encrypted by default already. This is probably why Laravel have not defaulted this and with their massive user base, that kind of change to the defaults in the framework would probably have a lot of fallout. E.g. many Laravel apps might just run on http without a security need for https (marketing sites).