Hi, Supporting the httpOnly thing is good, but is a php.ini setting better than another setcookie() parameter? I thought that's how it would be implemented... Well, I guess we can use ini_set().
Matt ----- Original Message ----- From: "Jochen Hansper" <[EMAIL PROTECTED]> Sent: Wednesday, June 22, 2005 7:03 PM Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement] > Hi, > > Internet Explorer 6 SP1 supports the cookie attribute "httponly" which > prevents reading cookies from JavaScript or the like. This can help to > mitigate XSS session hijacking. Browsers not supporting this cookie > attribute are not disturbed if it is present. > > AFAIK PHP does not support httponly cookies. So here's a patch that will > add support for it in PHP4. > (files ext/session/session.c and ext/session/session_php.h have to be > changed) > > After you apply the changes (and recompile), you can add a line like > this in php.ini: > > session.cookie_httponly=1 > > It enables httpOnly cookies. Default value ist 0 (off, if line is > missing). -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
