Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16870 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34946 invoked by uid 1010); 23 Jun 2005 01:00:44 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 34931 invoked from network); 23 Jun 2005 01:00:44 -0000 Received: from unknown (HELO realplain.com) (127.0.0.1) by localhost with SMTP; 23 Jun 2005 01:00:44 -0000 Received: from ([127.0.0.1:13241]) by pb1.pair.com (ecelerity 1.2 r(5656M)) with ECSTREAM id 33/59-22648-CB90AB24 for ; Wed, 22 Jun 2005 21:00:44 -0400 X-Host-Fingerprint: 209.142.136.132 msa2-mx.centurytel.net Linux 2.4/2.6 Received: from ([209.142.136.132:39222] helo=msa2-mx.centurytel.net) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id AF/08-22648-4F30AB24 for ; Wed, 22 Jun 2005 20:36:05 -0400 Received: from PC1 (207-119-228-95.dyn.centurytel.net [207.119.228.95]) by msa2-mx.centurytel.net (8.13.3/8.13.3) with SMTP id j5N0a1iO004105; Wed, 22 Jun 2005 19:36:01 -0500 Message-ID: <008601c5778b$88c1f820$0201a8c0@PC1> To: "Jochen Hansper" , References: <1119485004.7376.20.camel@mframe.test-lab> Date: Wed, 22 Jun 2005 19:36:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement] From: php_lists@realplain.com ("Matt W") Hi, Supporting the httpOnly thing is good, but is a php.ini setting better than another setcookie() parameter? I thought that's how it would be implemented... Well, I guess we can use ini_set(). Matt ----- Original Message ----- From: "Jochen Hansper" Sent: Wednesday, June 22, 2005 7:03 PM Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement] > Hi, > > Internet Explorer 6 SP1 supports the cookie attribute "httponly" which > prevents reading cookies from JavaScript or the like. This can help to > mitigate XSS session hijacking. Browsers not supporting this cookie > attribute are not disturbed if it is present. > > AFAIK PHP does not support httponly cookies. So here's a patch that will > add support for it in PHP4. > (files ext/session/session.c and ext/session/session_php.h have to be > changed) > > After you apply the changes (and recompile), you can add a line like > this in php.ini: > > session.cookie_httponly=1 > > It enables httpOnly cookies. Default value ist 0 (off, if line is > missing).