Wow, copied and pasted in the wrong link wonder it made no sense - 
The correct link is:

Below are the methods I WAS working with (similar to your recommendation last 
week - thank you) and expanded with the blog post above recommendations.

@setcookie( $name, $value, $expires, $path, $domain . '; HttpOnly' ); sets http 
flag but not secure (not included)
@setcookie( $name, $value, $expires, $path, $domain, TRUE ); // sets secure but 
not http (not included)
@setcookie( $name, $value, $expires, $path, $domain, TRUE . '; HttpOnly' ); // 
sets secure but not http (included)

What I've landed on in case this helps anyone else is the following:
@setcookie( $name, $value, $expires, $path, $domain . 'secure; HttpOnly' ); // 
this sets both http flag and secure

What made it work was using the word secure rather than a Boolean value and 
putting it within the quotes along with HttpOnly. 


-----Original Message-----
From: Andrew Ballard [] 
Sent: Tuesday, August 16, 2011 1:06 PM
Subject: Re: [PHP] Secure vs httpOnly cookie flag: is one better?

I don't see the relevance of the address you cited above, but if you
are referring to the workaround that I showed you last week --

-- you can easily extend the technique to set both flags.

header('Set-Cookie: cookie_name=value; secure; HttpOnly');


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to