» HttpOnly in PHP (Anti-XSS)

| Subscribe by Email

Home » Web Development

Newer:

HttpOnly in PHP (Anti-XSS)

Posted on September 5th, 2004 1 Comment »

Wondering how to prevent JavaScript from stealing session cookie? Major browsers got the answer: just add HttpOnly to cookie to protect it from malicious JavaScript code. Full details:

http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

Since this option is well-supported (AFAIK MSIE, Mozilla/Firefox/Gecko and Konqueror support it) it’s unclear why PHP doesn’t support it yet. Here’s a patch to add HttpOnly support to PHP:

http://rotanovs.com/php-session-httponly.patch

After applying the patch, add this string to your php.ini:

session.cookie_httponly = 1

Enjoy!

One Response

Thomas

The Mozilla browsers currently do not support the httponly option. Have a look at bug 178993: http://bugzilla.mozilla.org/show_bug.cgi?id=178993

Leave a Reply

About me

Feb 2007–Present: Lead developer at Enormo, real estate search with 10 million listings in 30 languages

Jul 2001–Feb 2007: Chief Developer at Inbox.lv, largest Latvian Internet portal, proud to say it moved from #4 to #1 in terms of weekly unique visitors since I joined the company.

Experience: development of websites with more than 10,000,000 hits per day, administration of 70+ servers.
Contact Me
del.icio.us

twitter

smugmug
Tags

ArrayAccess belgium bruges brussels Canon Canon 40D jquery Nikon Nikon D300 oop photos php spl zend
Blogroll