About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHP Gets HttpOnly Cookies

Fri, 11 Aug 2006 at 15:45:15 GMT
8 Comments
References

Via Ilia, Scott MacVicar has provided a patch that adds support for HttpOnly to setcookie() and setrawcookie(). This has been possible with header() all along, but this patch (applied by Ilia) makes things much easier.

Andrew has more information about browser compatibility, and he links to a potential solution for (and further discussion about) Mozilla/Firefox's lack of support.

About This Post

PHP Gets HttpOnly Cookies was posted on Fri, 11 Aug 2006 at 15:45:15 GMT.

8 Comments

1. jordi said:

[mr burns]

excellent...

[/mr burns]
Fri, 11 Aug 2006 at 16:09:43 GMT Link

2. Nate Klaiber said:

This is good news!
Fri, 11 Aug 2006 at 16:38:49 GMT Link

3. James Benson said:

Suprised to see Mozilla do not support this already and IE does.
Fri, 11 Aug 2006 at 20:08:05 GMT Link

4. Chris Shiflett said:

Microsoft came up with it.
Fri, 11 Aug 2006 at 20:19:45 GMT Link

5. wesley said:

I just implement a _set_cookie function which builds the string for header(); and adds "HttpOnly";

However, I have a question, I'd like to know if all clients support multiple header lines for the same cookie:

set-cookie: PHPSESSID=4444777...

set_cookie: PHPSESSID=444545545 ...

Set-Cookie: PHPSESSID=444545545.. HttpOnly;

First line is caused by session_start();

Second by session_regenerate_id();

Third by my _set_cookie function.
Sun, 13 Aug 2006 at 21:43:42 GMT Link

6. Emmanuel said:

this is kind of bad although it helps( and it is hack rather than a standard) it does not fully prevent and give a false sense of security.

This is one of their note:

"Note The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Used alone, it cannot completely eliminate the danger of cross-site scripting"

And Also could potentially be a source of problem for people using cookies in a good fashion. I hate to say that but I d rather figure a way to prevent XSS with good coding in the back rather than a hack in the client that can causes many headackes..
Mon, 14 Aug 2006 at 03:12:45 GMT Link

7. wesley said:

Emmanuel, it's you, the webmaster, that decides which cookies should be accessible from the client (javascript) and which don't, so I don't get your last point.
Mon, 14 Aug 2006 at 07:53:14 GMT Link

8. Matt Mecham said:

You don't have to wait for PHP 5.2 to start using this - and you don't have to handroll your own setcookie methods thanks to a lax check in the PHP source code.

http://blog.mattmecham.com/archives...ithout_php.html
Thu, 14 Sep 2006 at 13:06:11 GMT Link

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

Niall Kelly wrote:: Having tried other methods without success and looked through plenty of bloated documentation, th...; Posted in Git on Snow Leopard
liukang wrote:: I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...; Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:: Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...; Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock