PHP Gets HttpOnly Cookies

[mr burns]

excellent...

[/mr burns]

Fri, 11 Aug 2006 at 16:09:43 GMT Link

This is good news!

Fri, 11 Aug 2006 at 16:38:49 GMT Link

Suprised to see Mozilla do not support this already and IE does.

Fri, 11 Aug 2006 at 20:08:05 GMT Link

I just implement a _set_cookie function which builds the string for header(); and adds "HttpOnly";

However, I have a question, I'd like to know if all clients support multiple header lines for the same cookie:

set-cookie: PHPSESSID=4444777...

set_cookie: PHPSESSID=444545545 ...

Set-Cookie: PHPSESSID=444545545.. HttpOnly;

First line is caused by session_start();

Second by session_regenerate_id();

Third by my _set_cookie function.

Sun, 13 Aug 2006 at 21:43:42 GMT Link

this is kind of bad although it helps( and it is hack rather than a standard) it does not fully prevent and give a false sense of security.

This is one of their note:

"Note The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Used alone, it cannot completely eliminate the danger of cross-site scripting"

And Also could potentially be a source of problem for people using cookies in a good fashion. I hate to say that but I d rather figure a way to prevent XSS with good coding in the back rather than a hack in the client that can causes many headackes..

Mon, 14 Aug 2006 at 03:12:45 GMT Link

Emmanuel, it's you, the webmaster, that decides which cookies should be accessible from the client (javascript) and which don't, so I don't get your last point.

Mon, 14 Aug 2006 at 07:53:14 GMT Link

You don't have to wait for PHP 5.2 to start using this - and you don't have to handroll your own setcookie methods thanks to a lax check in the PHP source code.

http://blog.mattmecham.com/archives...ithout_php.html

Thu, 14 Sep 2006 at 13:06:11 GMT Link