> Le 7 juin 2020 à 22:15, AllenJB <php.li...@allenjb.me.uk> a écrit : > > Are there any other session (security) related settings that should be > tightened by default? (cookie_samesite?)
Yes, of course: * session.cookie_httponly should be "1" by default. * session.cookie_samesite should be "Lax" by default. * Ideally, session.cookie_secure should be enabled by default on https; sadly, the setting does not allow to have different values for secure and insecure connections. —Claude
