a memo

PHP 5.2 to support HttpOnly cookie flag

From Ilia Alshanetsky comes news that PHP 5.2's setcookie() will support a new "HTTP only" parameter. The idea is that you can ask browsers to use the cookie for HTTP requests only, and not share it with Javascript, Flash, etc.

This is a Big Deal from a security standpoint, because it would protect web applications from a whole class of Javascript-based cross-site scripting or XSS attacks, wherein an attacker uses script to steal the victim's session cookie and impersonate them.

There will also be a php.ini setting to set the httpOnly flag on session cookies, which is where it is needed most.

Right now, httpOnly is an MSIE thing, supported by IE6.5 (and presumably 7). Other browsers are working on it.

Warning: If you use XMLHttpRequests, you may still be exposing the Cookie: header of a response to javascript. Further testing will be required once browser implementations of HttpOnly are ironed out.

By Chris Snyder on August 11, 2006 at 9:39am

jump to top