HttpOnly
Tuesday 20th March, 2007 13:21 Comments: 0
The good news is that Firefox 3 is going to catch up with IE6 SP1 and support Microsoft's extension, HttpOnly cookies. The web developer can set a cookie to be HttpOnly (both ASP and PHP support setting HttpOnly cookies) and the browser will only ever use that cookie when sending HTTP requests. This means that client side scripting (typically cross site scripting attack) cannot read the cookie. And it doesn't appear to break anything for users with older browsers (it's essentially doing something similar to when you set a cookie as "secure" so the browser will only send it over HTTPS). So how do you do this on PHP? You can either change the ini setting for session.cookie_httponly or, more likely for those on shared hosting/without access to the the ini file, you should be able to use ini_set to change the setting. For instance, the following code will generate a session cookie (PHPSESSID) that's set to HttpOnly:
ini_set("session.cookie_httponly", 1);
session_start();
For those that actually look at server headers, this means you'll now see something like:
Set-Cookie: PHPSESSID=2bef439055e0aa0a9f15622cb7854eeb; path=/; HttpOnly
Simple. You can probably do a search and replace on your code to replace session_start() with the additional line of code. If you can't do this setting, pester your hosting company to install a newer version of PHP.
ini_set("session.cookie_httponly", 1);
session_start();
For those that actually look at server headers, this means you'll now see something like:
Set-Cookie: PHPSESSID=2bef439055e0aa0a9f15622cb7854eeb; path=/; HttpOnly
Simple. You can probably do a search and replace on your code to replace session_start() with the additional line of code. If you can't do this setting, pester your hosting company to install a newer version of PHP.