Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?
I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly. Any better suggestions?
thanks
Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.
The PHPSESSID is stored in the clients cookie so I don't consider it as secure. Someone might bruteforce it and perform some action (like a Facebook status post) whenever a session was successfully hijacked.
ini_set('session.cookie_httponly', 1);
more information here on the PHP docs
In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With