Greetings,
I’m trying to get a secure cookie working on my site. I only use HTTPS on the login page and can easily set the secure flag for the cookie.
The problem is the rest of my site is HTTP and I have a small auto-login script on the header of every page, which causes the HTTPS cookie not to be sent. This script periodically checks for cookies after the session expires and then re-starts the session if the cookie is valid. I like this script because it “seamlessly” restarts the session of the user without redirecting them to a separate HTTPS page - which could delete information if the user was filling out a very long form while the session expired.
Here is an example page: http://www.mysite.com/product/234/
<?php
... // Check cookies, re-validate and re-start session
if (!isset($_SESSION['username']) && isset($_COOKIE['auth'])) {
$root = $_SERVER["DOCUMENT_ROOT"];
include($root.'/persistent-login.php');
}
...
?>
This script is on an HTTP page, so how can I get a secure cookie out of this seamlessly without redirecting and causing issues for the user?
Thanks
Kind regards