Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Set httpOnly and secure on PHPSESSID cookie in PHP

Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?

I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly. Any better suggestions?

thanks

like image 708
Steve Avatar asked Jul 25 '11 20:07

Steve


People also ask

How do I set the HttpOnly flag on cookies in PHP?

Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.

Can a cookie be HttpOnly and secure?

Security of cookies is an important subject. HttpOnly and secure flags can be used to make the cookies more secure. When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.

Is Phpsessid secure?

The PHPSESSID is stored in the clients cookie so I don't consider it as secure. Someone might bruteforce it and perform some action (like a Facebook status post) whenever a session was successfully hijacked.


2 Answers

ini_set('session.cookie_httponly', 1); 

more information here on the PHP docs

like image 160
user2741089 Avatar answered Oct 12 '22 01:10

user2741089


In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] ) 
like image 39
Johan Avatar answered Oct 12 '22 02:10

Johan