How do you set up use HttpOnly cookies
How can I set the cookies in my
PHP apps as
Verified Answer (88 Votes) ✓
- For your cookies, see this answer.
- For PHP's own session cookie (
PHPSESSID, by default), see @richie's answer
Function syntax simplified for brevity
setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly ) setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
NULL for parameters you wish to remain as default.
You may also want to consider if you should be setting the
It is also possible using the older, lower-level
header( "Set-Cookie: name=value; httpOnly" );
Answer #2 (116 Votes)
For PHP's own session cookies on Apache:
add this to your Apache configuration or
<IfModule php5_module> php_flag session.cookie_httponly on </IfModule>
This can also be set within a script, as long as it is called before
ini_set( 'session.cookie_httponly', 1 );
Answer #3 (13 Votes)
Be aware that HttpOnly doesn't stop cross-site scripting; instead, it neutralizes one possible attack, and currently does that only on IE (FireFox exposes HttpOnly cookies in XmlHttpRequest, and Safari doesn't honor it at all). By all means, turn HttpOnly on, but don't drop even an hour of output filtering and fuzz testing in trade for it.