[UPHPU] httponly cookies

Lonnie Olson lists at kittypee.com
Mon Jul 23 12:19:33 MDT 2007

jtaber wrote:
> There were some posts today on planet-php.org about the use of http-only 
> cookies - apparently it's a way to hide the transmittal of cookie data.  
> Anyone know anything about this and is it worthwhile to explore or 
> utilize ?

The brand-new Firefox just implemented support for http-only 

These cookies must be supported by the browser, since it is just a flag 
the server sends to the browser to instruct the browser to not leak the 
information to javascript.

PHP 5.2 implemented some support for httpOnly cookies.   A new 7th param 
to setcookie() is a boolean to set the httpOnly flag.
A new ini file directive session.cookie-httponly to make session cookies 
auto flag the httpOnly flag.

It seems from reading the comments on 
that setting the flag doesn't break browsers that don't support the 
flag.  They just simply ignore the flag.

More information about the UPHPU mailing list