About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Gets HttpOnly Cookies

Fri, 11 Aug 2006 at 15:45:15 GMT
8 Comments
References

Via Ilia, Scott MacVicar has provided a patch that adds support for HttpOnly to setcookie() and setrawcookie(). This has been possible with header() all along, but this patch (applied by Ilia) makes things much easier.

Andrew has more information about browser compatibility, and he links to a potential solution for (and further discussion about) Mozilla/Firefox's lack of support.

About This Post

PHP Gets HttpOnly Cookies was posted on Fri, 11 Aug 2006 at 15:45:15 GMT.

8 Comments

1. jordi said:

[mr burns]

excellent...

[/mr burns]
Fri, 11 Aug 2006 at 16:09:43 GMT Link

2. Nate Klaiber said:

This is good news!
Fri, 11 Aug 2006 at 16:38:49 GMT Link

3. James Benson said:

Suprised to see Mozilla do not support this already and IE does.
Fri, 11 Aug 2006 at 20:08:05 GMT Link

4. Chris Shiflett said:

Microsoft came up with it.
Fri, 11 Aug 2006 at 20:19:45 GMT Link

5. wesley said:

I just implement a _set_cookie function which builds the string for header(); and adds "HttpOnly";

However, I have a question, I'd like to know if all clients support multiple header lines for the same cookie:

set-cookie: PHPSESSID=4444777...

set_cookie: PHPSESSID=444545545 ...

Set-Cookie: PHPSESSID=444545545.. HttpOnly;

First line is caused by session_start();

Second by session_regenerate_id();

Third by my _set_cookie function.
Sun, 13 Aug 2006 at 21:43:42 GMT Link

6. Emmanuel said:

this is kind of bad although it helps( and it is hack rather than a standard) it does not fully prevent and give a false sense of security.

This is one of their note:

"Note The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Used alone, it cannot completely eliminate the danger of cross-site scripting"

And Also could potentially be a source of problem for people using cookies in a good fashion. I hate to say that but I d rather figure a way to prevent XSS with good coding in the back rather than a hack in the client that can causes many headackes..
Mon, 14 Aug 2006 at 03:12:45 GMT Link

7. wesley said:

Emmanuel, it's you, the webmaster, that decides which cookies should be accessible from the client (javascript) and which don't, so I don't get your last point.
Mon, 14 Aug 2006 at 07:53:14 GMT Link

8. Matt Mecham said:

You don't have to wait for PHP 5.2 to start using this - and you don't have to handroll your own setcookie methods thanks to a lax check in the PHP source code.

http://blog.mattmecham.com/archives...ithout_php.html
Thu, 14 Sep 2006 at 13:06:11 GMT Link

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:: The article is really very good and the users comments and external links to another articles jus...; Posted in
Raphael Almeida wrote:: I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...; Posted in PHP Anthem
Mal wrote:: Having used smarty for many years, this has never been a problem for me, but after building a web...; Posted in PHP Stripping Newlines
Satya wrote:: Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...; Posted in PHP Anthem
John wrote:: Oh, you need to press "save your password".; Posted in Mozilla Account Manager

Browse Comments

Planet

Onerous terms: From Dion Almaer
Remember non-vendor-prefixed CSS 3 properties (and put them last): From Roger Johansson
FCC.gov poised for an overdue overhaul: From O'Reilly Radar
A Quick Intro to mongosniff: From Kristina Chodorow
Toward a local syzygy: aligning deals, check-ins and places: From O'Reilly Radar

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

PHP Gets HttpOnly Cookies

About This Post