Zend Framework, Sessions, and HttpOnly

About

Asked 16/12, 2010 at 14:53 Answered 27/4, 2013 at 10:25

Solved php zend-framework session httponly

I want to make my session cookie HttpOnly. Based on this article, I added this to my application.ini:

resources.session.cookie_httponly = true

Unfortunately, when I look at the session cookie in Firecookie, it is not marked as HttpOnly as I have specified. What step am I missing?

alt text

Overriding answered 16/12, 2010 at 14:53 Comment(10)

"when I look at the session cookie in Firecookie, it is not marked as HttpOnly" --- how exactly cookie should be marked? What did you expect to see there? – Excogitate 16/12, 2010 at 15:1

HttpOnly is a step to protect from XSS: codinghorror.com/blog/2008/08/… – Overriding 16/12, 2010 at 15:8

@Sonny: it is a step to protect against cookies hijacking, not xss. XSS is just a way to send the cookies, and HttpOnly is the option that does not allow you to read cookies from js. So it protects cookie from being readed in js. There is no connection between XSS and HttpOnly. – Excogitate 16/12, 2010 at 15:15

FTA: "HttpOnly cookies are a great idea, and properly implemented, make huge classes of common XSS attacks much harder to pull off." – Overriding 16/12, 2010 at 15:17

@Sonny: omg... HttpOnly protects from cookie being read. Without this option your site is not more XSS vulnerable. – Excogitate 16/12, 2010 at 15:19

Why are you being argumentative rather than helpful? This is not the only step I take for security, I just want to use all available tools. – Overriding 16/12, 2010 at 15:22

@Sonny: I just corrected you, because your phrase "I want to make my session cookie HttpOnly to reduce XSS vulnerabilities" is just wrong and I do care of future not-experienced readers who will follow your words. – Excogitate 16/12, 2010 at 15:29

Well, on-topic now: Have you looked at the response headers? – Excogitate 16/12, 2010 at 15:30

When I look at the Response and Request headers in Firebug, I can see a Set-Cookie line that specifies HttpOnly, but this is for a cookie other than my session cookie. Firecookie shows an HttpOnly column, and the cookie I am specifying HttpOnly is marked as such, but my session is not. I don't know where else to look. – Overriding 16/12, 2010 at 15:39

if it helps, removing the PHP session cookie and starting the session again is the first test for testing. Mine worked with only the ini setting – Nock 10/4, 2019 at 10:5

Try at bootstrap to do Zend_Session::setOptions(array('cookie_httponly' => true)); ( somewhere before the session is first initialized ) tough it should work with the app.ini file too .

Fern answered 16/12, 2010 at 16:1 Comment(3)

This works. I wish I could figure out why it's not reading from application.ini. – Overriding 16/12, 2010 at 16:28

will have a look and let you know if i find something . – Fern 16/12, 2010 at 16:37

Use Zend_Session::setOptions(array('cookie_httponly' => true)); instead of Zend_Session::setOptions(array('cookie_httponly', true)); – Erubescence 13/6, 2012 at 8:34

Add this to your application.ini file.

phpSettings.session.cookie_httponly = true

Brave answered 13/8, 2012 at 14:9 Comment(0)

For this to be 100% safe.

The server should not allow the option http trace. The http option trace reports the session id. If a attacker can inject a java applet, flash or javascript with ajax the attacker can also steal cookies even with the httponly flag set...

Vouge answered 27/4, 2013 at 10:25 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags