Everything, Everything

2024: J F M A M J J A S O N
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
HttpOnly
Tuesday 20th March, 2007 13:21 Comments: 0
The good news is that Firefox 3 is going to catch up with IE6 SP1 and support Microsoft's extension, HttpOnly cookies. The web developer can set a cookie to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser will only ever use that cookie when sending HTTP requests. This means that client side scripting (typically cross site scripting attack) cannot read the cookie. And it doesn't appear to break anything for users with older browsers (it's essentially doing something similar to when you set a cookie as "secure" so the browser will only send it over HTTPS). So how do you do this on PHP? You can either change the ini setting for session.cookie_httponly or, more likely for those on shared hosting/without access to the the ini file, you should be able to use ini_set to change the setting. For instance, the following code will generate a session cookie (PHPSESSID) that's set to HttpOnly:

ini_set("session.cookie_httponly", 1);
session_start();


For those that actually look at server headers, this means you'll now see something like:

Set-Cookie: PHPSESSID=2bef439055e0aa0a9f15622cb7854eeb; path=/; HttpOnly

Simple. You can probably do a search and replace on your code to replace session_start() with the additional line of code. If you can't do this setting, pester your hosting company to install a newer version of PHP.
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3