I am trying to change some php session parameters using php_value commands in .htaccess since I am using a shared server and cannot access php.ini directly.
However, it seems that the hosting server does not allow the php_value commands in .htaccess and they say that their php settings cannot be changed/overridden.
My question: Is there a workaround for that or do I have to change my hosting server?
You can change php.ini settings at the top of your php file using the ini_set() function: http://php.net/manual/en/function.ini-set.php, however your provider might be set up not to allow it for the parameters you want to set.
Include something like the following at the top of each file that users access:
ini_set('session.cookie_secure', 1); // If you are using https
ini_set('session.cookie_httponly', 1);
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
You should do this before anything to do with sessions. It's probably worth moving this to a .inc file that is included at the top of all pages, if you don't have a file like that already that you can move them to.
You can test that the ini_set changes have been allowed by your provider by checking their return values, perhaps using a wrapper like:
function set_ini($name, $value) {
if (!ini_set($name, $value) {
throw new RuntimeException('ini_set failed for '.$name);
}
}
(thanks to @hanshenrik for the tip about checking return value)