Jump to content

[SOLVED] session.cookie_httponly

orange08

By orange08
in PHP Coding Help

 Share

Recommended Posts

orange08 Regular Member

orange08

Posted
Posted

i have read about this in a security tutorial

If you are using PHP 5.2+ then you can tell the browser that Javascript

should not be given access to the cookie using a

flag called httponly. set this flag using the php.ini directive called session.cookie_httponly or

you can use the session_set_cookie_params() function.

 

but, i can't understand with it...

what's it meant by:

you can tell the browser that Javascript should not be given access to the cookie.

 

can give me an example?

 

Link to comment
Share on other sites
orange08 Regular Member

orange08

Posted
  • Author
Posted

A cookie that the web server sends to the browser can normally be read by any javascript on a page that matches that cookie. session.cookie_httponly causes that cookie to be flagged so that javascropt cannot read that cookie.

 

ok, thanks...

 

then, for this purpose, how should i set it in my .htaccess?

Link to comment
Share on other sites
orange08 Regular Member

orange08

Posted
  • Author
Posted

A cookie that the web server sends to the browser can normally be read by any javascript on a page that matches that cookie. session.cookie_httponly causes that cookie to be flagged so that javascropt cannot read that cookie.

 

ok, thanks...

 

then, for this purpose, how should i set it in my .htaccess?

 

i meant need to set session.cookie_httponly to ON or OFF for such purpose?

 

thanks!

Link to comment
Share on other sites
orange08 Regular Member

orange08

Posted
  • Author
Posted

It should be off via default.

 

yup, default is off, but if for this purpose

If you are using PHP 5.2+ then you can tell the browser that Javascript

should not be given access to the cookie using a

flag called httponly. set this flag using the php.ini directive called session.cookie_httponly or

you can use the session_set_cookie_params() function.

 

it should be set to ON or OFF? i think is ON?

Link to comment
Share on other sites
redarrow Advanced Member

redarrow

Posted
Posted

You need it off in php so JavaScript can not use cookies in the url of php, so others can not take those cookies and use them to attempt to hack your web site.

 

cookie will work with this option to OFF, just means that the cookies are not seen or able to be taken from the url of a php script.

 

so in essence it always off uncles you want hacking problems.

 

The reason php.ini has lots of OFF/ON options for functions is because, there thousands off php scripts built with no security in mind, and also there loads with security in mind.

 

never touch any think you don't no about or read about before activating.

 

you need to be very careful when using 3rd party code/scripts , if it looks to good to be true it probably insist true.

 

never be fooled just because it free does not mean it not getting info to do some think soon...

Link to comment
Share on other sites
orange08 Regular Member

orange08

Posted
  • Author
Posted

You need it off in php so JavaScript can not use cookies in the url of php, so others can not take those cookies and use them to attempt to hack your web site.

 

cookie will work with this option to OFF, just means that the cookies are not seen or able to be taken from the url of a php script.

 

so in essence it always off uncles you want hacking problems.

 

The reason php.ini has lots of OFF/ON options for functions is because, there thousands off php scripts built with no security in mind, and also there options that are turned

ON because security was in mind ...

 

you need to be very careful when using 3rd party code/scripts , if it looks to good to be true it probably insist true.

 

never be fooled just because it free does not mean it not getting info to do some think soon...

 

ok, thanks for the reply and information!  :D

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.