Quoting steve iamstever@gmail.com:
Just a note -- having implemented and deployed this (in userspace, not
in php itself) -- setting the http_only flag kills the cookie in IE on
the Mac. One would hope no one is using such a thing anymore, but I
thought I'd point it out, and I'm definately in favor of the change.
Maybe it will get Mozilla to finally implement it (and deal with a
coookie file format change -- ooh, biggie).
IE for Mac isn't part of our test suite here so I never gave it a check, frankly
its no longer supported by Microsoft or Apple and has since been superseded by
Safari. Suitable documentation can be added explaining the problem with IE for
Mac though I suspect it has already disappeared through its lack of support for
"Web 2.0".
Our test results showed that Opera, Webkit, Gecko and IE based browsers had no
problem with the cookie format sent, those which didn't support HttpOnly simply
ignored it (Gecko).
The Mozilla feature request is at
https://bugzilla.mozilla.org/show_bug.cgi?id=178993 A patch was submitted after
sponsorship from Live Journal but since the change wasn't backwards compatible
with older versions of the browsers they refused to implement it.
Cheers,
Scott
IE for Mac isn't part of our test suite here so I never gave it a check, frankly
its no longer supported by Microsoft or Apple and has since been superseded by
Safari.
Yeah save for people with MacOS9. Again, who cares? Just thought a
note should go in the manual (just a comment on the cookie page would
be enough). End users could do a browser check if they wanted.
I think having this will increase the use of it, which would be better
for everyone. :)