Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16871 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41023 invoked by uid 1010); 23 Jun 2005 01:11:07 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 41006 invoked from network); 23 Jun 2005 01:11:06 -0000 Received: from unknown (HELO realplain.com) (127.0.0.1) by localhost with SMTP; 23 Jun 2005 01:11:06 -0000 X-Host-Fingerprint: 209.142.136.132 msa2-mx.centurytel.net Linux 2.4/2.6 Received: from ([209.142.136.132:47410] helo=msa2-mx.centurytel.net) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id CE/1A-22648-A2C0AB24 for ; Wed, 22 Jun 2005 21:11:06 -0400 Received: from PC1 (207-119-228-95.dyn.centurytel.net [207.119.228.95]) by msa2-mx.centurytel.net (8.13.3/8.13.3) with SMTP id j5N1B2Fl022525; Wed, 22 Jun 2005 20:11:02 -0500 Message-ID: <009c01c57790$6cf552e0$0201a8c0@PC1> To: "Jochen Hansper" , References: <1119485004.7376.20.camel@mframe.test-lab> <008601c5778b$88c1f820$0201a8c0@PC1> Date: Wed, 22 Jun 2005 20:11:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement] From: php_lists@realplain.com ("Matt W") Hi, I'm sorry, I didn't even see that this is for sessions! :-/ Nevermind... Matt ----- Original Message ----- From: "Matt W" Sent: Wednesday, June 22, 2005 7:36 PM Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement] > Hi, > > Supporting the httpOnly thing is good, but is a php.ini setting better than > another setcookie() parameter? I thought that's how it would be > implemented... Well, I guess we can use ini_set(). > > > Matt > > ----- Original Message ----- > From: "Jochen Hansper" > Sent: Wednesday, June 22, 2005 7:03 PM > Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement] > > > > Hi, > > > > Internet Explorer 6 SP1 supports the cookie attribute "httponly" which > > prevents reading cookies from JavaScript or the like. This can help to > > mitigate XSS session hijacking. Browsers not supporting this cookie > > attribute are not disturbed if it is present. > > > > AFAIK PHP does not support httponly cookies. So here's a patch that will > > add support for it in PHP4. > > (files ext/session/session.c and ext/session/session_php.h have to be > > changed) > > > > After you apply the changes (and recompile), you can add a line like > > this in php.ini: > > > > session.cookie_httponly=1 > > > > It enables httpOnly cookies. Default value ist 0 (off, if line is > > missing).