How do you set up use HttpOnly cookies in PHP

php security cookies xss httponly
Scott Warren picture Scott Warren · Aug 31, 2008 · Viewed 114.6k times · Source

How can I set the cookies in my PHP apps as HttpOnly cookies?

Answer

richie picture richie · Jan 4, 2012

For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on
</IfModule>

This can also be set within a script, as long as it is called before session_start().

ini_set( 'session.cookie_httponly', 1 );

Related questions

What encryption algorithm is best for encrypting cookies?

Since this question is rather popular, I thought it useful to give it an update. Let me emphasise the correct answer as given by AviD to this question: You should not store any data that needs encrypting in your cookie. …

Read More
Session timeouts in PHP: best practices

What is the actual difference between session.gc_maxlifetime and session_cache_expire() ? Suppose I want the users session to be invalid after 15 minutes of non-activity (and not 15 after it was first opened). Which one of these will help me …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More