How do you set up use HttpOnly cookies

04/21/2020 08:30:02

How can I set the cookies in my PHP apps as HttpOnly cookies?

Verified Answer (88 Votes)

08/31/2008 20:38:41
  • For your cookies, see this answer.
  • For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

Enter NULL for parameters you wish to remain as default. You may also want to consider if you should be setting the secure parameter.

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; httpOnly" );

Answer #2 (116 Votes)

01/04/2012 16:41:46

For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on

This can also be set within a script, as long as it is called before session_start().

ini_set( 'session.cookie_httponly', 1 );

Answer #3 (13 Votes)

09/11/2008 03:40:41

Be aware that HttpOnly doesn't stop cross-site scripting; instead, it neutralizes one possible attack, and currently does that only on IE (FireFox exposes HttpOnly cookies in XmlHttpRequest, and Safari doesn't honor it at all). By all means, turn HttpOnly on, but don't drop even an hour of output filtering and fuzz testing in trade for it.

Hack Hex uses Stack Exchance API by the Stack Exchange Inc. to scrape questions/answers under Creative Commons license.