RE: [PHP] Secure vs httpOnly cookie flag: is one better?
Andrew, Wow, copied and pasted in the wrong link ...no wonder it made no sense - WHOOPS!! The correct link is: http://blog.mattmecham.com/2006/09/12/http-only-cookies-without-php-52/comment-page-1/#comment-14609 Below are the methods I WAS working with (similar to your recommendation last week - thank you) and expanded with the blog post above recommendations. @setcookie( $name, $value, $expires, $path, $domain . '; HttpOnly' ); sets http flag but not secure (not included) @setcookie( $name, $value, $expires, $path, $domain, TRUE ); // sets secure but not http (not included) @setcookie( $name, $value, $expires, $path, $domain, TRUE . '; HttpOnly' ); // sets secure but not http (included) What I've landed on in case this helps anyone else is the following: @setcookie( $name, $value, $expires, $path, $domain . 'secure; HttpOnly' ); // this sets both http flag and secure What made it work was using the word secure rather than a Boolean value and putting it within the quotes along with HttpOnly. Thanks! Jen -Original Message- From: Andrew Ballard [mailto:aball...@gmail.com] Sent: Tuesday, August 16, 2011 1:06 PM To: j...@cetaceasound.com Cc: php-general@lists.php.net Subject: Re: [PHP] Secure vs httpOnly cookie flag: is one better? I don't see the relevance of the address you cited above, but if you are referring to the workaround that I showed you last week -- http://marc.info/?l=php-general&m=131281548332245&w=2 -- you can easily extend the technique to set both flags. header('Set-Cookie: cookie_name=value; secure; HttpOnly'); Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Secure vs httpOnly cookie flag: is one better?
On Tue, Aug 16, 2011 at 1:01 PM, Jen Rasmussen wrote: > Thank you in advance for your input on my question here . > > > > I am currently running PHP 5.1.6 and would prefer to set both the secure and > httpOnly flags for a session cookie, > > however, httpOnly is not added until PHP 5.2. I have found an elegant way to > set it ( courtesy of : http://www.youtube.com/watch?v=UW0UhYfs1es ) but I am > unable to set both the secure and the httpOnly flags. I realize the post is > quite old, but doh!, so is my version of PHP J > > > > My guess is that if forced to choose, I should opt for secure but would > prefer to do so with any opinions you may offer in mind. I don't see the relevance of the address you cited above, but if you are referring to the workaround that I showed you last week -- http://marc.info/?l=php-general&m=131281548332245&w=2 -- you can easily extend the technique to set both flags. header('Set-Cookie: cookie_name=value; secure; HttpOnly'); Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Secure vs httpOnly cookie flag: is one better?
Thank you in advance for your input on my question here . I am currently running PHP 5.1.6 and would prefer to set both the secure and httpOnly flags for a session cookie, however, httpOnly is not added until PHP 5.2. I have found an elegant way to set it ( courtesy of : http://www.youtube.com/watch?v=UW0UhYfs1es ) but I am unable to set both the secure and the httpOnly flags. I realize the post is quite old, but doh!, so is my version of PHP J My guess is that if forced to choose, I should opt for secure but would prefer to do so with any opinions you may offer in mind. Thanks!! Jen