Set Httponly and Secure on PHPsessid Cookie in PHP

Set httpOnly and secure on PHPSESSID cookie in PHP

In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

How do you set up use HttpOnly cookies in PHP

• For your cookies, see this answer.
• For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the boolean httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

In PHP < 8, specify NULL for parameters you wish to remain as default.

In PHP >= 8 you can benefit from using named parameters. See this question about named params.

setcookie( $name, $value, httponly:true )

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; HttpOnly" );

You may also want to consider if you should be setting the Secure parameter.

HTTPS - Cookie HttpOnly and secure

.htaccess is the wrong way to go about this.

PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.

session.cookie_httponly and session.cookie_secure are the relevant options here.

See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.

Session cookies http & secure flag - how do you set these?

Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).

How to set a cookie with the secure flag in PHP?

The secure flag means "This cookie is only valid over HTTPS".

You are using HTTP (without the S).

This means the cookie is invalid and the browser is correctly ignoring it.

You can't require that cookies be secure if your communication channel isn't.

How to limit PHPSESSID cookie to https?

An easy approach might just be to use session_name() and set the name of the session. Then, only start the "admin session" on the pages that are admin pages and HTTPS.

How to set secure and httponly attributes on Symfony 4 session

As pointed by sam and with the correct documentation

In the Symfony framework, these options should be set in the framework.yaml

    session:
       handler_id: ~
       cookie_secure: true
       cookie_httponly: true

---

Related Topics