How do you set up use HttpOnly cookies in PHP

Question

How can I set the cookies in my PHP apps as HttpOnly cookies

User · Accepted Answer

For your cookies  see this answer  For PHP s own session cookie  PHPSESSID  by default   see  richie s answer  The setcookie   and setrawcookie   functions  introduced the httponly parameter  back in the dark ages of PHP 5 2 0  making this nice and easy  Simply set the 7th parameter to true  as per the syntax Function syntax simplified for brevity setcookie      name   value   expire   path   domain   secure   httponly   setrawcookie   name   value   expire   path   domain   secure   httponly    In PHP  lt  8  specify NULL for parameters you wish to remain as default  In PHP  gt   8 you can benefit from using named parameters  See this question about named params  setcookie   name   value  httponly true    It is also possible using the older  lower-level header   function  header   quot Set-Cookie  name value  httpOnly quot      You may also want to consider if you should be setting the secure parameter

User · Answer

Note that PHP session cookies don t use httponly by default   To do that    sess name   session name    if  session start          setcookie  sess name  session id    null       null  null  true       A couple of items of note here    You have to call session name   before session start    This also sets the default path to      which is necessary for Opera but which PHP session cookies don t do by default either

User · Answer

lt  php   None HttpOnly cookie  setcookie  abc    test   NULL  NULL  NULL  NULL  FALSE       HttpOnly cookie  setcookie  abc    test   NULL  NULL  NULL  NULL  TRUE       gt    Source

User · Answer

For PHP s own session cookies on Apache  add this to your Apache configuration or  htaccess   lt IfModule php5 module gt      php flag session cookie httponly on  lt  IfModule gt    This can also be set within a script  as long as it is called before session start     ini set   session cookie httponly   1

User · Answer

You can use this in a header file      setup session enviroment ini set  session cookie httponly  1   ini set  session use only cookies  1     This way all future session cookies will use httponly    Updated

User · Answer

You can specify it in the set cookie function see the php manual  setcookie  Foo   Bar  0       www sample com     FALSE  TRUE

User · Answer

Be aware that HttpOnly doesn t stop cross-site scripting  instead  it neutralizes one possible attack  and currently does that only on IE  FireFox exposes HttpOnly cookies in XmlHttpRequest  and Safari doesn t honor it at all   By all means  turn HttpOnly on  but don t drop even an hour of output filtering and fuzz testing in trade for it

User · Answer

The right syntax of the php flag command is  php flag  session cookie httponly On   And be aware  just first answer from server set the cookie and here  for example You can see the  HttpOnly  directive  So for testing delete cookies from browser after every testing request

User · Answer

Explanation here from Ilia    5 2 only though  httpOnly cookie flag support in PHP 5 2  As stated in that article  you can set the header yourself in previous versions of PHP  header  Set-Cookie  hidden value  httpOnly

User · Answer

A more elegant solution since PHP   7 0   session start   cookie lifetime    gt  43200  cookie secure    gt  true  cookie httponly    gt  true      session start  session start options

[php] How do you set up use HttpOnly cookies in PHP

Examples related to php

Examples related to security

Examples related to cookies

Examples related to xss

Examples related to httponly