httpOnly cookies in PHP

August 11th, 2006

Ilia, one of the PHP developers, has included a patch by Scott MacVicar into CVS for PHP 5.2 that allows you to set a httpOnly cookie instead of a normal cookie. A httpOnly cookie allows you to set a cookie that isn't accessible via Javascript, and so removes the possibility of some nefarious code to try and read your cookie.

This can be enabled in PHP 5.2. by passing TRUE as the 7th paramenter in setcookie() and setrawcookie(). In versions below 5.2, you can set this by passing an additional header.

PLAIN TEXT
PHP:
  1. header("Set-Cookie: hidden=value; httpOnly");

However, browser compatibility is not complete. It is available in MSIE, but is lacking in Mozilla, Firefox and Safari. More discussion on the benefits of this cookie can be found on the Mozilla Bugzilla.

You can download PHP 5.2.-dev from the PHP Website. It however, has not yet been released as a public stable, so precaution is necessary for production servers.


 Add to del.icio.us    Digg this    Technorati

Related Posts:

Entry Filed under: PHP, PHP 5

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Calendar

August 2006
M T W T F S S
« Jul   Apr »
 123456
78910111213
14151617181920
21222324252627
28293031  

Most Recent Posts