First I wouldn’t use:
isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'
This can be manipulated easily, since it comes via headers of the HTTP request, and can be used by some server with some configuration on top of Fast-CGI in the back end itself, yet it can be sent via "front-end", which could easily defraud the requisition by doing something like this:
curl -i -H "X-Forwarded-Proto: https" http://site/teste
In fact it is mostly used for a "proxy" "control" like https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/#how-to-use-it-in-Nginx, but really if the $_SERVER['HTTPS']
not this "populated" I believe is a bad configuration in "reverse proxy" or "load Balancer", I do not understand much.
These headers (of Forwarded) if I am not mistaken are geared to settings in these types of "proxies" (all on the server only) and should not be exposed to the client nor be mixed with what comes from the client side, but many people configure in the thighs that.
I may be wrong, but from what I know about servers, if everything is set up ok only that should always work:
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
...
}
In your script will not "affect", because in fact it is meaningless, the use of IF itself is unnecessary (but this I will talk more below)
About the cookie problem without HTTPS
You have to make sure that you have not accidentally created cookies outside of HTTPS, because there will be something else, now it’s about setting the moment you access HTTPS
Because by your code, if you run with HTTPS and without HTTPS cookies will always be generated, so probably both exist, if the intention is only to authenticate in HTTPS then only this would suffice:
public function renewCookiePublic($token,$user)
{
setrawcookie("_token_access", $token, time()+10800, '/', '', true);
setrawcookie("_user_access", trim($user), time()+10800, '/', '', true);
}
Nor would I need to check if it is HTTPS, because as the documentation itself says about the fifth parameter of the setcookie and setrawcookie function:
Indicates that the cookie can only be transmitted under a secure HTTPS connection from the client. When set to TRUE
, the cookie will be sent ONLY if a secure connection exists. On the server side, it is up to the programmer to send this type of cookie only under a secure connection (ex respecting $_SERVER["HTTPS"]
).
Then probably in your file there is the cookie without HTTPS checked because you really generated, either by accessing without HTTPS and then with HTTPS or simply this IF of yours maybe wrong and your Apache or Ngnix server is set wrong.
Behold that.
– user178974