Zend_Auth is not Meant to Work with Secure Cookies

Zend_Auth does not work with secure cookies, nor is it meant to and that’s OK. Its all in how one configures their server and site. I did spend literally all day on it debugging and trying to trace code to determine if my heavy refactoring was responsible. It turned out that I had changed a setting in php.ini which only became active once I restarted the server, having long forgotten that I edited the file and thought changing session.cookie_secure would make my server, ah hmm, more secure.

Thanks to Silvan Muhlemann whose postings on a related issue helped me figure out the source the issue. Others have had this issue without realizing, like me, exactly what secure cookies are meant for: http://zend-framework-community.634137.n4.nabble.com/Secure-Cookies-Prevent-Login-td676747.html

About Secure Cookies

The PHP manual says:

"session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4."

Thus, a secure cookie cannot be sent over plain HTTP, but instead over HTTPS (SSL or TLS; it doesn’t matter). So, obviously this should not work on a non SSL site and its not Zend_Auth’s fault.

How to Avoid This

In php.ini cookie_secure must be set to off:

  [session]
  session.cookie_secure = 0

Or, in your Zend_Config readable config file (perhaps application.ini?):

  phpSettings.session.cookie_secure = 0

You can also set options for Zend_Session (but not in place of the above):

  Zend_Session::setOptions(array(
      ‘cookie_lifetime’ => 0,
      ‘cookie_path’     => “/admin”,
      ‘cookie_domain’   => “.test.com”,
      ‘cookie_secure’   => false,
      ‘cookie_httponly’ => true
  ));

If You Still Want to Work With Secure Cookies

Here is a custom session handler to work around it: http://bigornot.blogspot.com/2008/06/zendauth-and-secure-cookies.html

More about secure cookies