I'm trying to create a secure session by creating start_secure_session() function like this:
function start_secure_session() {
$session_name = 'secure_session';
$secure = true;
$httponly = true;
if (ini_set('session.use_only_cookies', 1) === false) {
die('error');
}
$cookie_params = session_get_cookie_params();
session_set_cookie_params($cookie_params["lifetime"],
$cookie_params["path"],
$cookie_params["domain"],
$secure,
$httponly);
session_name($session_name);
session_start();
session_regenerate_id(true);
}
The problem is, start_secure_session() is not saving $_SESSION super global variable. It's unset immediately when the page refreshed. It works only if I comment this out:
//$cookie_params = session_get_cookie_params();
//session_set_cookie_params($cookie_params["lifetime"],
// $cookie_params["path"],
// $cookie_params["domain"],
// $secure,
// $httponly);
or in other words, not setting a custom cookie params.
What should I do to make it works? So, the session_start() can work properly and $_SESSION variable can remember it's value?
I think it is because of the secure=TRUE and you not using HTTPS? It will not create a session on a non-secure connection with secure set to TRUE.