Zend_Auth does not work with secure cookies, nor is it meant to and that’s OK. Its all in how one configures their server and site. I did spend literally all day on it debugging and trying to trace code to determine if my heavy refactoring was responsible. It turned out that I had changed a setting in php.ini which only became active once I restarted the server, having long forgotten that I edited the file and thought changing session.cookie_secure would make my server, ah hmm, more secure.
Thanks to Silvan Muhlemann whose postings on a related issue helped me figure out the source the issue. Others have had this issue without realizing, like me, exactly what secure cookies are meant for: http://zend-framework-community.634137.n4.nabble.com/Secure-Cookies-Prevent-Login-td676747.html
About Secure Cookies
The PHP manual says:
"session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4."
Thus, a secure cookie cannot be sent over plain HTTP, but instead over HTTPS (SSL or TLS; it doesn’t matter). So, obviously this should not work on a non SSL site and its not Zend_Auth’s fault.
How to Avoid This
In php.ini cookie_secure must be set to off:
session.cookie_secure = 0
Or, in your Zend_Config readable config file (perhaps application.ini?):
phpSettings.session.cookie_secure = 0
You can also set options for Zend_Session (but not in place of the above):
‘cookie_lifetime’ => 0,
‘cookie_path’ => “/admin”,
‘cookie_domain’ => “.test.com”,
‘cookie_secure’ => false,
‘cookie_httponly’ => true
If You Still Want to Work With Secure Cookies
Here is a custom session handler to work around it: http://bigornot.blogspot.com/2008/06/zendauth-and-secure-cookies.html