> There were some posts today on planet-php.org about the use of > http-only cookies - apparently it's a way to hide the transmittal of > cookie data. Anyone know anything about this and is it worthwhile to > explore or utilize ?
this is a microsoft extension to cookies. it means that javascript cannot access the cookie. this is to help with xss issues that surround the problem of javascript reading cookies from other domains. httponly cookies are supported in php, but you also need a browser that can implement this type of extension. i know that ff2 does not support it unless you use some extension/hack. IE6, i think, implements the httponly cookie. ff3 might have this support in nov., however not sure what the time line for that is. its a move in the right direction, but will not stop all the xss vulnerabilities out there. -- ray _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
