[GLPI 10.0.15] PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.

[as-umed]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.15

Bug description

After installing and configuring the GLPI installation, adding LDAP config the problem occurs: "PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol." Everything is set up in config. For test purposes I added this directive to .htaccess. I tried with 1, "1", true, "true", on and "on", the problem still occurs.

Relevant log output

No response

Page URL

https://glpi/front/config.form.php

Steps To reproduce

1. Install GLPI
2. Configure LDAP
3. Get the error on main page

Your GLPI setup information

Information about system installation & configuration

GLPI 10.0.15 ( => /var/www/glpi./public_html)
Installation mode: TARBALL
Current language:en_US

Server

Operating system: Linux 6.1.0-18-amd64 #​1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
PHP 8.2.18 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bcmath, bz2,
calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring,
mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, random, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem,
sysvshm, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="3072M" post_max_size="8M" safe_mode="" session.save_handler="files"
upload_max_filesize="2M" disable_functions=""
Software: Apache/2.4.59 (Debian) (Apache/2.4.59 (Debian) Server at glpi. Port 443
)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Server Software: Debian 12
Server Version: 10.11.6-MariaDB-0+deb12u1
Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
Parameters: root@localhost/glpi_prd
Host info: Localhost via UNIX socket

PHP version (8.2.18) is supported.PHP version (8.2.18) is supported.
Sessions configuration is OK.Sessions configuration is OK.
Allocated memory is sufficient.Allocated memory is sufficient.
mysqli extension is installed.mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.curl extension is installed.
gd extension is installed.gd extension is installed.
intl extension is installed.intl extension is installed.
zlib extension is installed.zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.11.6) is supported.Database engine version (10.11.6) is supported.
No files from previous GLPI version detected.No files from previous GLPI version detected.
The log file has been created successfully.The log file has been created successfully.
Write access to /var/www/glpi./public_html/files/_cache has been validated. Write access to /var/www/glpi./public_html/files/_cron has been validated. Write access to /var/www/glpi./public_html/files has been validated. Write access to /var/www/glpi./public_html/files/_dumps has been validated. Write access to /var/www/glpi./public_html/files/_graphs has been validated. Write access to /var/www/glpi./public_html/files/_lock has been validated. Write access to /var/www/glpi./public_html/files/_pictures has been validated. Write access to /var/www/glpi./public_html/files/_plugins has been validated. Write access to /var/www/glpi./public_html/files/_rss has been validated. Write access to /var/www/glpi./public_html/files/_sessions has been validated. Write access to /var/www/glpi./public_html/files/_tmp has been validated. Write access to /var/www/glpi./public_html/files/_uploads has been validated.Write access to /var/www/glpi./public_html/files/_cache has been validated.
Write access to /var/www/glpi./public_html/files/_cron has been validated.
Write access to /var/www/glpi./public_html/files has been validated.
Write access to /var/www/glpi./public_html/files/_dumps has been validated.
Write access to /var/www/glpi./public_html/files/_graphs has been validated.
Write access to /var/www/glpi./public_html/files/_lock has been validated.
Write access to /var/www/glpi./public_html/files/_pictures has been validated.
Write access to /var/www/glpi./public_html/files/_plugins has been validated.
Write access to /var/www/glpi./public_html/files/_rss has been validated.
Write access to /var/www/glpi./public_html/files/_sessions has been validated.
Write access to /var/www/glpi./public_html/files/_tmp has been validated.
Write access to /var/www/glpi./public_html/files/_uploads has been validated.

Web server root directory configuration seems safe.Web server root directory configuration seems safe.
PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.
OS and PHP are relying on 64 bits integers.OS and PHP are relying on 64 bits integers.
exif extension is installed.exif extension is installed.
ldap extension is installed.ldap extension is installed.
openssl extension is installed.openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi./public_html/marketplace has been validated.Write access to /var/www/glpi./public_html/marketplace has been validated.
Timezones seems loaded in database.Timezones seems loaded in database.

GLPI constants

GLPI_ROOT: "/var/www/glpi./public_html"
GLPI_CONFIG_DIR: "/var/www/glpi./public_html/config"
GLPI_VAR_DIR: "/var/www/glpi./public_html/files"
GLPI_MARKETPLACE_DIR: "/var/www/glpi./public_html/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_TEXT_MAXSIZE: "4000"
GLPI_DOC_DIR: "/var/www/glpi./public_html/files"
GLPI_CACHE_DIR: "/var/www/glpi./public_html/files/_cache"
GLPI_CRON_DIR: "/var/www/glpi./public_html/files/_cron"
GLPI_DUMP_DIR: "/var/www/glpi./public_html/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/glpi./public_html/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/glpi./public_html/files/_locales"
GLPI_LOCK_DIR: "/var/www/glpi./public_html/files/_lock"
GLPI_LOG_DIR: "/var/www/glpi./public_html/files/_log"
GLPI_PICTURE_DIR: "/var/www/glpi./public_html/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/glpi./public_html/files/_plugins"
GLPI_RSS_DIR: "/var/www/glpi./public_html/files/_rss"
GLPI_SESSION_DIR: "/var/www/glpi./public_html/files/_sessions"
GLPI_TMP_DIR: "/var/www/glpi./public_html/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/glpi./public_html/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/glpi./public_html/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/var/www/glpi./public_html/locales"
GLPI_VERSION: "10.0.15"
GLPI_SCHEMA_VERSION: "10.0.15@2eed74704cb07e0bac48b933cbd5c1c356f09629"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.4.0"
GLPI_YEAR: "2024"

Libraries

htmlawed/htmlawed version 1.2.14 in (/var/www/glpi./public_html/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi./public_html/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi./public_html/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.7.5 in (/var/www/glpi./public_html/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi./public_html/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi./public_html/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi./public_html/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi./public_html/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi./public_html/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi./public_html/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi./public_html/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi./public_html/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi./public_html/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi./public_html/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi./public_html/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi./public_html/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi./public_html/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi./public_html/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi./public_html/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi./public_html/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi./public_html/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi./public_html/vendor/rlanvin/php-rrule/src)
ramsey/uuid in (/var/www/glpi./public_html/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi./public_html/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi./public_html/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi./public_html/vendor/psr/cache/src)
league/csv in (/var/www/glpi./public_html/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi./public_html/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi./public_html/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi./public_html/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi./public_html/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi./public_html/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi./public_html/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi./public_html/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi./public_html/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi./public_html/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi./public_html/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi./public_html/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi./public_html/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi./public_html/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi./public_html/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi./public_html/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi./public_html/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories

Server: '', Port: '389', BaseDN: '', Connection filter: none, RootDN: '',
Use TLS: none

SQL replicas

Not active

Notifications

Way of sending emails: PHP

Mails receivers

Plugins list

Anything else?

No response

[cedric-anne]

Hi,

Could you check if #17314 fixes this issue ?

[as-umed]

@cedric-anne Anne, I swapped lines in [src/System/Requirement/SessionsSecurityConfiguration.php] and in [src/Auth.php] but the message in [/front/central.php] still remains the same. Big orange bar with this 'PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol.' message.

[cedric-anne]

It looks like your htaccess file is not correctly applied. The expected directive is php_value session.cookie_secure 1.

[as-umed]

@cedric-anne OK, moved .htaccess to catalogue public and now everything's good. Why wouldn't it work by setting this parameter globally in php.ini?

Thank for your assistance, problem fixed by #17314 and .htaccess.

[cedric-anne]

Why wouldn't it work by setting this parameter globally in php.ini?

It works when it is set in the php.ini file. You may have to reload the related sevice, that can be Apache, PHP-FPM, ... depending on your server configuration.

[as-umed]

@cedric-anne I've set it on all php.ini files I could find, restarted all services, no success, I've restarted even a whole VM:

fpm/php.ini:;session.cookie_secure = 1
cli/php.ini:;session.cookie_secure = 1
apache2/php.ini:;session.cookie_secure = 1
root@<REDACTED>:/etc/php/8.2#

But with .htaccess it's OK.

[cedric-anne]

The ; char is used to comment lines. It means that the line is ignored and it explains why your configuration is not applied.

[as-umed]

@cedric-anne Yeah, definetely, I have to buy new glasses or set bigger text in terminal... Thank you so much. I've read those lines for hundreds of times, didn't see the semicolone.