[UPHPU] httponly cookies

Lonnie Olson lists at kittypee.com
Mon Jul 23 12:19:33 MDT 2007


jtaber wrote:
> There were some posts today on planet-php.org about the use of http-only 
> cookies - apparently it's a way to hide the transmittal of cookie data.  
> Anyone know anything about this and is it worthwhile to explore or 
> utilize ?

The brand-new Firefox 2.0.0.5 just implemented support for http-only 
cookies.

These cookies must be supported by the browser, since it is just a flag 
the server sends to the browser to instruct the browser to not leak the 
information to javascript.

PHP 5.2 implemented some support for httpOnly cookies.   A new 7th param 
to setcookie() is a boolean to set the httpOnly flag.
A new ini file directive session.cookie-httponly to make session cookies 
auto flag the httpOnly flag.
http://us2.php.net/manual/en/ref.session.php#ini.session.cookie-httponly

It seems from reading the comments on 
http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html
that setting the flag doesn't break browsers that don't support the 
flag.  They just simply ignore the flag.


More information about the UPHPU mailing list