orange08 Posted September 30, 2009 Share Posted September 30, 2009 i have read about this in a security tutorial If you are using PHP 5.2+ then you can tell the browser that Javascript should not be given access to the cookie using a flag called httponly. set this flag using the php.ini directive called session.cookie_httponly or you can use the session_set_cookie_params() function. but, i can't understand with it... what's it meant by: you can tell the browser that Javascript should not be given access to the cookie. can give me an example? Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/ Share on other sites More sharing options...
PFMaBiSmAd Posted September 30, 2009 Share Posted September 30, 2009 A cookie that the web server sends to the browser can normally be read by any javascript on a page that matches that cookie. session.cookie_httponly causes that cookie to be flagged so that javascropt cannot read that cookie. Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-927770 Share on other sites More sharing options...
orange08 Posted October 1, 2009 Author Share Posted October 1, 2009 A cookie that the web server sends to the browser can normally be read by any javascript on a page that matches that cookie. session.cookie_httponly causes that cookie to be flagged so that javascropt cannot read that cookie. ok, thanks... then, for this purpose, how should i set it in my .htaccess? Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928156 Share on other sites More sharing options...
orange08 Posted October 1, 2009 Author Share Posted October 1, 2009 A cookie that the web server sends to the browser can normally be read by any javascript on a page that matches that cookie. session.cookie_httponly causes that cookie to be flagged so that javascropt cannot read that cookie. ok, thanks... then, for this purpose, how should i set it in my .htaccess? i meant need to set session.cookie_httponly to ON or OFF for such purpose? thanks! Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928184 Share on other sites More sharing options...
redarrow Posted October 1, 2009 Share Posted October 1, 2009 It should be off via default. Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928241 Share on other sites More sharing options...
orange08 Posted October 1, 2009 Author Share Posted October 1, 2009 It should be off via default. yup, default is off, but if for this purpose If you are using PHP 5.2+ then you can tell the browser that Javascript should not be given access to the cookie using a flag called httponly. set this flag using the php.ini directive called session.cookie_httponly or you can use the session_set_cookie_params() function. it should be set to ON or OFF? i think is ON? Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928267 Share on other sites More sharing options...
redarrow Posted October 1, 2009 Share Posted October 1, 2009 You need it off in php so JavaScript can not use cookies in the url of php, so others can not take those cookies and use them to attempt to hack your web site. cookie will work with this option to OFF, just means that the cookies are not seen or able to be taken from the url of a php script. so in essence it always off uncles you want hacking problems. The reason php.ini has lots of OFF/ON options for functions is because, there thousands off php scripts built with no security in mind, and also there loads with security in mind. never touch any think you don't no about or read about before activating. you need to be very careful when using 3rd party code/scripts , if it looks to good to be true it probably insist true. never be fooled just because it free does not mean it not getting info to do some think soon... Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928269 Share on other sites More sharing options...
orange08 Posted October 1, 2009 Author Share Posted October 1, 2009 You need it off in php so JavaScript can not use cookies in the url of php, so others can not take those cookies and use them to attempt to hack your web site. cookie will work with this option to OFF, just means that the cookies are not seen or able to be taken from the url of a php script. so in essence it always off uncles you want hacking problems. The reason php.ini has lots of OFF/ON options for functions is because, there thousands off php scripts built with no security in mind, and also there options that are turned ON because security was in mind ... you need to be very careful when using 3rd party code/scripts , if it looks to good to be true it probably insist true. never be fooled just because it free does not mean it not getting info to do some think soon... ok, thanks for the reply and information! Quote Link to comment https://forums.phpfreaks.com/topic/176075-solved-sessioncookie_httponly/#findComment-928273 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.