How do you set up use HttpOnly cookies in PHP
- For your cookies, see this answer.
- For PHP's own session cookie (
PHPSESSID
, by default), see @richie's answer
The setcookie()
and setrawcookie()
functions, introduced the boolean httponly
parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax
Function syntax simplified for brevity
setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
In PHP < 8, specify NULL
for parameters you wish to remain as default.
In PHP >= 8 you can benefit from using named parameters. See this question about named params.
setcookie( $name, $value, httponly:true )
It is also possible using the older, lower-level header()
function:
header( "Set-Cookie: name=value; HttpOnly" );
You may also want to consider if you should be setting the Secure
parameter.
Set httpOnly and secure on PHPSESSID cookie in PHP
In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
How to set session.cookie value httponly in Codeigniter
httpponly cookies are supported by https enabled sites like https://www.samplewebsite.com and you don't need to set it manually. Just ask your service provider to change the "cookie_httponly" value to be true or if you have server access, set it yourself. You can also apply below code to your .htaccess file.
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Header set Set-Cookie "%{http_cookie}e; HTTPOnly" env=http_cookie
Setting secure session cookies in php
A1: Your above code looks ideal, as long as it follows the PHP documentation page, who are we to say otherwise;
A2: This all just depends on exactly what this is being used for. In banking, some like to kill the session within minutes of inactivity. In gaming or social networking, these settings tend to be more relaxed and lenient as to give the user more leeway;
A3: Yes, you would have to change the cookie to reflect the new subdomain admin change. If you wanted to set a global cookie (that works on all subdomains):
session_set_cookie_params('3600', 'example.com', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')? true : false, true);
Hope this helps!
Php normal cookies vs httponly cookies precedence in $_COOKIE
It is not possible. If a script on the page sets a value for the same cookie, the server sent cookie is overwritten.
Related Topics
Set Active State on Navigation Dynamically
PHP SQL, Query Returns Only One Row of Data
(Mysql, PHP) How to Get Auto_Increment Field Value Before Inserting Data
PHP Password_Verify() Hash and Pass Won't Match
Check to See If a String Is Serialized
PHP Cli Getting Input from User and Then Dumping into Variable Possible
How to Echo the Whole Content of a .HTML File in PHP
How to Redirect to Another Page Using PHP
PHP Remove All Characters Before Specific String
Dynamically Changing Image Colours
MySQL Select Records Greater Than 3 Months
What Is the "" Symbol in Url Used for in PHP
PHP How to Retrieve Array Values
Unknown Modifier '/' in ...? What Is It
How to Implode Array with Key and Value Without Foreach in PHP