How to Set Up Use Httponly Cookies in PHP

How do you set up use HttpOnly cookies in PHP

For your cookies, see this answer.
For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the boolean httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

In PHP < 8, specify NULL for parameters you wish to remain as default.

In PHP >= 8 you can benefit from using named parameters. See this question about named params.

setcookie( $name, $value, httponly:true )

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; HttpOnly" );

You may also want to consider if you should be setting the Secure parameter.

Set httpOnly and secure on PHPSESSID cookie in PHP

In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

How to set session.cookie value httponly in Codeigniter

httpponly cookies are supported by https enabled sites like https://www.samplewebsite.com and you don't need to set it manually. Just ask your service provider to change the "cookie_httponly" value to be true or if you have server access, set it yourself. You can also apply below code to your .htaccess file.

Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie

Setting secure session cookies in php

A1: Your above code looks ideal, as long as it follows the PHP documentation page, who are we to say otherwise;

A2: This all just depends on exactly what this is being used for. In banking, some like to kill the session within minutes of inactivity. In gaming or social networking, these settings tend to be more relaxed and lenient as to give the user more leeway;

A3: Yes, you would have to change the cookie to reflect the new subdomain admin change. If you wanted to set a global cookie (that works on all subdomains):

session_set_cookie_params('3600', 'example.com', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')? true : false, true);

Hope this helps!

Php normal cookies vs httponly cookies precedence in $_COOKIE

It is not possible. If a script on the page sets a value for the same cookie, the server sent cookie is overwritten.