About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

PHP Gets HttpOnly Cookies

Fri, 11 Aug 2006 at 15:45:15 GMT
8 Comments
References

Via Ilia, Scott MacVicar has provided a patch that adds support for HttpOnly to setcookie() and setrawcookie(). This has been possible with header() all along, but this patch (applied by Ilia) makes things much easier.

Andrew has more information about browser compatibility, and he links to a potential solution for (and further discussion about) Mozilla/Firefox's lack of support.

About This Post

PHP Gets HttpOnly Cookies was posted on Fri, 11 Aug 2006 at 15:45:15 GMT.

8 Comments

1. jordi said:

[mr burns]

excellent...

[/mr burns]
Fri, 11 Aug 2006 at 16:09:43 GMT Link

2. Nate Klaiber said:

This is good news!
Fri, 11 Aug 2006 at 16:38:49 GMT Link

3. James Benson said:

Suprised to see Mozilla do not support this already and IE does.
Fri, 11 Aug 2006 at 20:08:05 GMT Link

4. Chris Shiflett said:

Microsoft came up with it.
Fri, 11 Aug 2006 at 20:19:45 GMT Link

5. wesley said:

I just implement a _set_cookie function which builds the string for header(); and adds "HttpOnly";

However, I have a question, I'd like to know if all clients support multiple header lines for the same cookie:

set-cookie: PHPSESSID=4444777...

set_cookie: PHPSESSID=444545545 ...

Set-Cookie: PHPSESSID=444545545.. HttpOnly;

First line is caused by session_start();

Second by session_regenerate_id();

Third by my _set_cookie function.
Sun, 13 Aug 2006 at 21:43:42 GMT Link

6. Emmanuel said:

this is kind of bad although it helps( and it is hack rather than a standard) it does not fully prevent and give a false sense of security.

This is one of their note:

"Note The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Used alone, it cannot completely eliminate the danger of cross-site scripting"

And Also could potentially be a source of problem for people using cookies in a good fashion. I hate to say that but I d rather figure a way to prevent XSS with good coding in the back rather than a hack in the client that can causes many headackes..
Mon, 14 Aug 2006 at 03:12:45 GMT Link

7. wesley said:

Emmanuel, it's you, the webmaster, that decides which cookies should be accessible from the client (javascript) and which don't, so I don't get your last point.
Mon, 14 Aug 2006 at 07:53:14 GMT Link

8. Matt Mecham said:

You don't have to wait for PHP 5.2 to start using this - and you don't have to handroll your own setcookie methods thanks to a lax check in the PHP source code.

http://blog.mattmecham.com/archives...ithout_php.html
Thu, 14 Sep 2006 at 13:06:11 GMT Link

Upcoming Talks

php|tek

19 - 22 May 2009

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

OSCON

20 - 24 Jul 2009

At San Jose McEnery Convention Center, San Jose, California.

New Comments

Ronald wrote:: A little hard for a rookie like me, but useful. I also thought you'd like to know there is a grea...; Posted in A rev="canonical" HTTP Header
Alex wrote:: Aren't you forgetting that the session will expire if _write() is never called? That excludes ...; Posted in
Andy Mabbett wrote:: @Chris Shiflett, #4, belatedly: Google only accepts rel=canonical within the same domain. My s...; Posted in A rev="canonical" HTTP Header
Kenneth Udut wrote:: I've implemented this rev="canonical" idea on http://free.naplesplus.us in the hopes that it catc...; Posted in Save the Internet with rev="canonical"
Mark wrote:: After reading your article and all the comments, what I got out of this was that sessions are not...; Posted in

Browse Comments

Planet

Speaking in the Fall: From Chris Cornutt
PHP with Oracle RAC: From John Lim
Four short links: 3 July 2009: From O'Reilly Radar
The star hack in IE8 and dynamic stylesheets: From Stoyan Stefanov
PHPNW: Site, Tickets and CfP: From Lorna Mitchell

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

PHP Gets HttpOnly Cookies

About This Post