Setting Secure Cookie with HTTPS - Auto-login


I’m trying to get a secure cookie working on my site. I only use HTTPS on the login page and can easily set the secure flag for the cookie.

The problem is the rest of my site is HTTP and I have a small auto-login script on the header of every page, which causes the HTTPS cookie not to be sent. This script periodically checks for cookies after the session expires and then re-starts the session if the cookie is valid. I like this script because it “seamlessly” restarts the session of the user without redirecting them to a separate HTTPS page - which could delete information if the user was filling out a very long form while the session expired.

Here is an example page:

... // Check cookies, re-validate and re-start session
if (!isset($_SESSION['username']) && isset($_COOKIE['auth'])) {

This script is on an HTTP page, so how can I get a secure cookie out of this seamlessly without redirecting and causing issues for the user?

Kind regards

You can’t, that’s the whole point of secure cookies. Is there any reason you don’t want to run your whole site under SSL? More and more websites are doing it nowadays, and there aren’t a lot of reasons not to do that any more.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.