Hi, I'm sorry, I didn't even see that this is for sessions! :-/ Nevermind...
Matt ----- Original Message ----- From: "Matt W" <[EMAIL PROTECTED]> Sent: Wednesday, June 22, 2005 7:36 PM Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement] > Hi, > > Supporting the httpOnly thing is good, but is a php.ini setting better than > another setcookie() parameter? I thought that's how it would be > implemented... Well, I guess we can use ini_set(). > > > Matt > > ----- Original Message ----- > From: "Jochen Hansper" <[EMAIL PROTECTED]> > Sent: Wednesday, June 22, 2005 7:03 PM > Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement] > > > > Hi, > > > > Internet Explorer 6 SP1 supports the cookie attribute "httponly" which > > prevents reading cookies from JavaScript or the like. This can help to > > mitigate XSS session hijacking. Browsers not supporting this cookie > > attribute are not disturbed if it is present. > > > > AFAIK PHP does not support httponly cookies. So here's a patch that will > > add support for it in PHP4. > > (files ext/session/session.c and ext/session/session_php.h have to be > > changed) > > > > After you apply the changes (and recompile), you can add a line like > > this in php.ini: > > > > session.cookie_httponly=1 > > > > It enables httpOnly cookies. Default value ist 0 (off, if line is > > missing). -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
