How can Javascript be prevented from accessing PHP cookie data?

Question

(Taken from a job interview)

Which of the following answers are correct ?

• Use the httponly parameter when setting the cookie
• The user must turn off Javascript support
• It's a cookie setting in the browser
• Only the issuing domain can access the cookie
• One is on the client and the other is on the server, so it's not an issue

Answer 1

When the cookie header is set, you can specify httpOnly.

This can be done via PHP's setcookie function:

setcookie ( $name, $value, $expire, $path, $domain, $secure, $httponly )

httpOnly instructs the browser to not allow JS to access the cookie.

Answer 2

The correct answer is the first:

Use the httponly parameter when setting the cookie

This flag prevents (on compatible browsers, almost all, including IE >= 6sp1) the javascript engine on the browser to access cookies with this parameter. You can set this flag for regular cookies with setcookie and for session cookies with session_set_cookie_params.

edited: Support for IE >= 6sp1 instead of IE >= 7