How do you set up use HttpOnly cookies in PHP

M

11

107

How can I set the cookies in my PHP apps as HttpOnly cookies?

Myrmidon answered 31/8, 2008 at 14:27 Comment(3)

#528905 Has the browser support info. – Coachandfour 19/11, 2012 at 17:0

@Tchalvak No, the current answers are still authoritative. Nothing has changed since 2008 regarding HTTP-only cookie setting in PHP. Which browsers support HTTP-only cookies is a different question, with a different answer. – Munafo 22/11, 2012 at 10:11

You may use $cookie->setHttpOnly(true); with github.com/delight-im/PHP-Cookie – Prorogue 12/7, 2016 at 23:44

K

105

For your cookies, see this answer.
For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the boolean httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

In PHP < 8, specify NULL for parameters you wish to remain as default.

In PHP >= 8 you can benefit from using named parameters. See this question about named params.

setcookie( $name, $value, httponly:true )

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; HttpOnly" );

You may also want to consider if you should be setting the Secure parameter.

Kirtley answered 31/8, 2008 at 14:38 Comment(2)

With PHP 8's named parameters, we'll finally be able to make the set_cookie call less verbose if we don't need to set the other parameters. For example set_cookie($name, $value, httponly: true). – Hickie 30/8, 2020 at 15:36

on PHP 7.3.0, we can use array. setcookie("name", "value", ['httponly' => true]); – Jackstay 25/4, 2021 at 9:43

D

132

For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on
</IfModule>

This can also be set within a script, as long as it is called before session_start().

ini_set( 'session.cookie_httponly', 1 );

Delozier answered 4/1, 2012 at 11:41 Comment(4)

+1 as this is a good thing (for security) to have in place on your entire server but instead added to the php.ini. – Zelazny 23/11, 2012 at 16:10

Please note php_flag should be used instead: "Don't use php_value to set boolean values. php_flag should be used instead." php.net/manual/en/configuration.changes.php – Zebu 13/10, 2013 at 13:23

@OndrejMachulda Changing php_value to php_flag doesn't work. I just tried it on my server.. – Icsh 28/12, 2013 at 16:20

@Nate: When changing to php_flag, you must change also the value - to either on or off - see the manual. – Zebu 29/12, 2013 at 11:49

K

105

For your cookies, see this answer.
For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the boolean httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

In PHP < 8, specify NULL for parameters you wish to remain as default.

In PHP >= 8 you can benefit from using named parameters. See this question about named params.

setcookie( $name, $value, httponly:true )

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; HttpOnly" );

You may also want to consider if you should be setting the Secure parameter.

Kirtley answered 31/8, 2008 at 14:38 Comment(2)

With PHP 8's named parameters, we'll finally be able to make the set_cookie call less verbose if we don't need to set the other parameters. For example set_cookie($name, $value, httponly: true). – Hickie 30/8, 2020 at 15:36

on PHP 7.3.0, we can use array. setcookie("name", "value", ['httponly' => true]); – Jackstay 25/4, 2021 at 9:43

B

15

Note that PHP session cookies don't use httponly by default.

To do that:

$sess_name = session_name();
if (session_start()) {
    setcookie($sess_name, session_id(), null, '/', null, null, true);
}

A couple of items of note here:

You have to call session_name() before session_start()
This also sets the default path to '/', which is necessary for Opera but which PHP session cookies don't do by default either.

Berar answered 30/10, 2008 at 14:57 Comment(1)

php.net/manual/en/function.session-set-cookie-params.php It can be done automatically via the above PHP function instead of custom coding. – Shinny 14/11, 2010 at 11:28

P

12

Be aware that HttpOnly doesn't stop cross-site scripting; instead, it neutralizes one possible attack, and currently does that only on IE (FireFox exposes HttpOnly cookies in XmlHttpRequest, and Safari doesn't honor it at all). By all means, turn HttpOnly on, but don't drop even an hour of output filtering and fuzz testing in trade for it.

Partnership answered 10/9, 2008 at 21:40 Comment(1)

This situation may have changed since '08, now. Here is a more current/updated list: #528905 – Coachandfour 19/11, 2012 at 16:59

A

8

<?php
//None HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, FALSE); 

//HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 

?>

Source

Ahola answered 31/8, 2008 at 14:36 Comment(0)

A

5

You can specify it in the set cookie function see the php manual

setcookie('Foo','Bar',0,'/', 'www.sample.com'  , FALSE, TRUE);

Annates answered 31/8, 2008 at 14:37 Comment(0)

S

4

Explanation here from Ilia... 5.2 only though

httpOnly cookie flag support in PHP 5.2

As stated in that article, you can set the header yourself in previous versions of PHP

header("Set-Cookie: hidden=value; httpOnly");

Spinelli answered 31/8, 2008 at 14:35 Comment(0)

A

4

You can use this in a header file.

// setup session enviroment
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);

This way all future session cookies will use httponly.

Updated.

Ahola answered 27/5, 2013 at 22:24 Comment(2)

Just FYI session.use_only_cookies is on by default in PHP >5.3 – Sphery 20/8, 2013 at 8:22

and correct is "all future session cookies" will use httponly, not custom ones ... – Lager 1/9, 2017 at 11:17

C

2

The right syntax of the php_flag command is

php_flag  session.cookie_httponly On

And be aware, just first answer from server set the cookie and here (for example You can see the "HttpOnly" directive. So for testing delete cookies from browser after every testing request.

Chronoscope answered 19/11, 2013 at 20:51 Comment(0)

S

1

A more elegant solution since PHP >=7.0

session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);

session_start

session_start options

Sapient answered 23/4, 2020 at 15:38 Comment(0)

C

0

Solução session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);

Dessa forma funcionou para mim na última versão do chromedriver.

Czechoslovakia answered 5/10, 2021 at 19:56 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Branle 5/10, 2021 at 22:39

Recommended topics

Hot tags