Viktors Rotanovs home

HttpOnly in PHP (Anti-XSS)

Wondering how to prevent JavaScript from stealing session cookie? Major browsers got the answer: just add HttpOnly to cookie to protect it from malicious JavaScript code. Full details are available at MSDN.

Since this option is well-supported (AFAIK MSIE, Mozilla/Firefox/Gecko and Konqueror support it) it’s unclear why PHP doesn’t support it yet. I’ve written a patch to add HttpOnly support to PHP. After applying the patch, add this string to your php.ini:

session.cookie_httponly = 1

Enjoy!

blog comments powered by Disqus
Fork me on GitHub