Set httpOnly and secure on PHPSESSID cookie in PHP
In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )
How do you set up use HttpOnly cookies in PHP
- For your cookies, see this answer.
- For PHP's own session cookie (
PHPSESSID
, by default), see @richie's answer
The setcookie()
and setrawcookie()
functions, introduced the boolean httponly
parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax
Function syntax simplified for brevity
setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
In PHP < 8, specify NULL
for parameters you wish to remain as default.
In PHP >= 8 you can benefit from using named parameters. See this question about named params.
setcookie( $name, $value, httponly:true )
It is also possible using the older, lower-level header()
function:
header( "Set-Cookie: name=value; HttpOnly" );
You may also want to consider if you should be setting the Secure
parameter.
HTTPS - Cookie HttpOnly and secure
.htaccess is the wrong way to go about this.
PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.
session.cookie_httponly
and session.cookie_secure
are the relevant options here.
See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.
Session cookies http & secure flag - how do you set these?
Since you asked for .htaccess, and this setting is PHP_INI_ALL, just put this in your .htaccess:
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
Note that session cookies will only be sent with https requests after that. This might come as a surprise if you lose a session in non-secured http page (but like pointed out in the comments, is really the point of the configuration in the first place...).
How to set a cookie with the secure flag in PHP?
The secure flag means "This cookie is only valid over HTTPS".
You are using HTTP (without the S).
This means the cookie is invalid and the browser is correctly ignoring it.
You can't require that cookies be secure if your communication channel isn't.
How to limit PHPSESSID cookie to https?
An easy approach might just be to use session_name() and set the name of the session. Then, only start the "admin session" on the pages that are admin pages and HTTPS.
How to set secure and httponly attributes on Symfony 4 session
As pointed by sam and with the correct documentation
In the Symfony framework, these options should be set in the framework.yaml
session:
handler_id: ~
cookie_secure: true
cookie_httponly: true
Related Topics
How to Put a Translation System in PHP Website
How to Have Multiple $_Get with the Same Key, Different Values
Ssl Error Can Not Change to Tls
The Ultimate Emoji Encoding Scheme
Php: How to Create Unicode Filenames
How to Use Date() in Doctrine 2 Dql
How to Examine Defined Constants in PHP
How to Get a List of Databases
Is a Blob Converted Using the Current/Default Charset in MySQL
$_Post Empty on Utf-8 Characters
Php, Why Do You Escape My Quotes
Extending Session Timeout in PHP via the .Htaccess
Php: Split String on Comma, But Not When Between Braces or Quotes
How to Upload Large File > 5Mb in Laravel 5
Routes in Codeigniter - Automatically
SQL Server Error 1934 Occurs on Insert to Table with Computed Column PHP/Pdo