Best IT Recipes

How to set an HttpOnly cookie in PHP?

How to set cookies in PHP apps like HttpOnly cookies ?

+74
security php cookies xss
Aug 31 '08 at 14:27
source share
9 answers
  • For your cookies, see this answer.
  • For a native PHP script file ( PHPSESSID , by default), see @richie answer

setcookie() and setrawcookie() functions introduced the httponly parameter in the dark of PHP 5.2.0, which makes it nice and easy. Just set the 7th parameter to true according to the syntax

Function syntax simplified for brevity

 setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly ) setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

Enter NULL for the parameters you want to keep by default. You may also consider setting the secure parameter.

It is also possible to use the older header() function:

 header( "Set-Cookie: name=value; httpOnly" );
+73
Aug 31 '08 at 14:38
source

For native PHP session scripts on Apache:
add this to your apache or .htaccess configuration

 <IfModule php5_module> php_flag session.cookie_httponly on </IfModule>

It can also be set in a script if it is called before session_start() .

 ini_set( 'session.cookie_httponly', 1 );
+83
Jan 04 2018-12-12T00:
source

Remember that HttpOnly does not stop cross-site scripting; instead, it neutralizes one possible attack and currently only does it in IE (FireFox provides HttpOnly cookies in XmlHttpRequest, and Safari does not comply with it at all). By all means, turn on HttpOnly, but don’t lose even an hour of filtering the output and testing fuzz in trading for it.

+12
Sep 10 '08 at 21:40
source

Please note that the PHP session cookie does not use httponly by default.

For this:

 $sess_name = session_name(); if (session_start()) { setcookie($sess_name, session_id(), null, '/', null, null, true); }

A few notes here:

  • You need to call session_name() before session_start()
  • This also sets the default path to '/', which is necessary for Opera, but which PHP session cookies are not executed by default either.
+8
Oct 30 '08 at 14:57
source

The explanation here is from Ilia ... 5.2, though

httpOnly cookie flag support in PHP 5.2

As stated in this article, you can set the header yourself in previous versions of PHP

 header("Set-Cookie: hidden=value; httpOnly");
+4
Aug 31 '08 at 14:35
source

You can specify it in the set cookie function see php manual

 setcookie('Foo','Bar',0,'/', 'www.sample.com' , FALSE, TRUE);
+4
Aug 31 '08 at 14:37
source 
 <?php //None HttpOnly cookie: setcookie("abc", "test", NULL, NULL, NULL, NULL, FALSE); //HttpOnly cookie: setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); ?>

Source

+3
Aug 31 '08 at 14:36
source

You can use this in the header file.

 // setup session enviroment ini_set('session.cookie_httponly',1); ini_set('session.use_only_cookies',1);

This way all future cookies will use httponly.

+3
May 27 '13 at 22:24
source

The correct syntax for the php_flag command

 php_flag session.cookie_httponly On

And remember that only the first response from the server set a cookie here too (for example, you can see the HttpOnly directive. Therefore, for testing, delete cookies from the browser after each request for testing.

+1
Nov 19 '13 at 20:51
source


More articles:


All Articles