I am trying to secure my sessions. While doing some research, I reckoned that PHP’s PHPSESSID+random hash based on Agent and IP is good enough to secure against hijacking. What else can you do, really.

I am using HTTPS for the login. As far as I could understand, the session data from PHP is never sent to the user, but rather stored on the server-side. The client only gets the id for the session. The session data holds the actual webapp’s user session, which in turn is used to check if the login is valid. All fine and dandy.

However, there is a detail I can’t find anywhere. I would like to to know if the cookie containing the PHP session id is automatically marked secure if I am using HTTPS. I did some google searches but never seemed to get the right search string because i only find ways of manually sending cookies. I would like to know because if that cookie is sent clear-text, it would compromise some of the security via man-in-the-middle.

EDIT 1

This is an addition for @ircmaxell

I tried out your method but somehow I still get the cookie when I switch from HTTPS back to HTTP. The way it should work is the following. Whenever the server is aware that a user session is available, it sets the secure flag. This means that the entire site runs on SSL as soon as you are logged in and refuses to give away/use the cookie whenever you don’t use SSL. Or at least, that’s the idea.

if ($SysKey['user']['session_id'] != '') {
   session_set_cookie_params(60*60*24*7, '/', $SysKey['server']['site'], true, true);
}

I assume I need to regenerate the id since the Browser already had the cookie before the login but since I can only try it out in a few hours, I’ll ask here before trying

NOTES TO SOLUTION

I just found out that you have to set these settings before starting the session. That was my problem. I am now using 2 different cookies. One for the regular guest that is sent via http, and a second for logged in users that is only sent via ssl.