httpOnly Cookies [tiny enhancement]

20 years ago by Jochen Hansper — view source — reply

unread

Hello,

Jani: Provide the patch against CVS HEAD branch.

You can find the patches for httpOnly session cookies against the PHP5
CVS HEAD in the attachment.
Now also included is support for httpOnly cookies for PHP functions
setcookie() and setrawcookie().

bool setcookie ( string name [, string value [, int expire [, string path [, string domain [, bool secure [, bool httponly]]]]] )
bool setrawcookie ( string name [, string value [, int expire [, string path [, string domain [, bool secure [, bool httponly]]]]] )

Default value for httponly is 0.

Steven: IE on Mac fails to recognize such cookies. You will have to
code around this browser bug.

An easy hack around this is to identify that browser by use of
browscap.ini and then code something like this for session cookies:

if(IE-MAC) {
session_set_cookie_params(ini_get("session.cookie_lifetime"),ini_get("session.cookie_path"),ini_get("session.cookie_domain"),ini_get("session.cookie_secure"),0);
}
session_start();

Jochen

[ext/session/session.c.patch ; ext/session/php_session.h.patch ; ext/standard/head.c.patch ; ext/standard/head.h.patch]

20 years ago by Nuno Lopes — view source — reply

unread

You can find the patches for httpOnly session cookies against the PHP5
CVS HEAD in the attachment.
Now also included is support for httpOnly cookies for PHP functions
setcookie() and setrawcookie().

bool setcookie ( string name [, string value [, int expire [, string path
[, string domain [, bool secure [, bool httponly]]]]] )
bool setrawcookie ( string name [, string value [, int expire [, string
path [, string domain [, bool secure [, bool httponly]]]]] )

AFAIR, it was agreed not to add more parameters to these functions and
overload the third parameter as an array (with new options, like a better
expire option).

Nuno

20 years ago by Andi Gutmans — view source — reply

unread

Yep, that's what I remember too. Would make more sense IMO.

At 11:05 AM 6/24/2005 +0100, Nuno Lopes wrote:

You can find the patches for httpOnly session cookies against the PHP5
CVS HEAD in the attachment.
Now also included is support for httpOnly cookies for PHP functions
setcookie() and setrawcookie().

bool setcookie ( string name [, string value [, int expire [, string path
[, string domain [, bool secure [, bool httponly]]]]] )
bool setrawcookie ( string name [, string value [, int expire [, string
path [, string domain [, bool secure [, bool httponly]]]]] )

AFAIR, it was agreed not to add more parameters to these functions and
overload the third parameter as an array (with new options, like a better
expire option).

Nuno