This is not a phpMyFAQ problem (and most – if not all – readers on this forum are likely to know this).
HTTP support for secure login (a very useful feature) was implemented in the phpMyFAQ 2.6.x series (thanks to the Development Team and to Tobias Hommel – that first suggested it and sent sample code).
In some circumstances it is possible to hijack cookies even when HTTPS is used.
This happens (for instance) if cookies aren’t marked as secure by the server.
Some user-side browser protection software (e.g. NoScript for Firefox) may force cookies to be marked as secure. However, this action should be performed on the origin (that is, on the server).
In our situation (apart from other security measures), editing the php.ini and (simply) changing the value from 0 to 1 in one line activates this cookie behavior.
The changed line:
Code: Select all
session.cookie_secure = 1
If sensitive data is being served, a more reliable system is needed (naturally).
Note: one could also use HTTP ETag