You are right, perhaps this should be controlled simply by an ini flag: session https only.
On Mon, 28 Mar 2016, 01:09 Stanislav Malyshev, <smalys...@gmail.com> wrote: > Hi! > > >> Could we also add HTTPS detection and enable the secure flag by default > >> when a session is established on an HTTPS endpoint? > > You can not see if your connection would be HTTPS or not - connection > can be terminated on frontend services (like nginx or varnish) that > handle https and the pass the actual work to backend like fpm or apache > or whatever it is. In this situation, you may have no information about > if the connection to the client is HTTPS or not. > > And in general, AFAIK there is no standard protocol to establishing this > kind of info. There are all kinds of ways people do it, but each of them > is peculiar for specific setup. > > I also think it is a mistake to have default behavior controlled by > external factors beyond server admin's control. Server behavior should > be predictable. The admin should set it up properly, if the admin is not > knowledgeable enough to set it up, I don't think we can improve it by > introducing variable defaults into the mix. > -- > Stas Malyshev > smalys...@gmail.com >
