Set httpOnly and secure on PHPSESSID cookie in PHP

Question

Whats the recommended way to set httponly and secure flags on the PHPSESSID cookie?

I found http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly. Any better suggestions?

thanks

Answer 1

In my opinion the best would be: http://www.php.net/manual/en/function.session-set-cookie-params.php

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

Answer 2

ini_set('session.cookie_httponly', 1);

more information here on the PHP docs

Answer 3

I was unable to get the secure flag working with session_set_cookie_params(...), so what I did was, after session_start() set the PHPSESSID cookie, I reset it with setcookie(...). The final parameter, true, makes the cookie have a secure flag.

<?php  
session_start();  
$currentCookieParams = session_get_cookie_params();  
$sidvalue = session_id();  
setcookie(  
    'PHPSESSID',//name  
    $sidvalue,//value  
    0,//expires at end of session  
    $currentCookieParams['path'],//path  
    $currentCookieParams['domain'],//domain  
    true //secure  
);  
?>

When I checked the PHPSESSID cookie in Firefox, its 'Send for' property was set to 'Encrypted connections only' and its 'Expires' property was set to 'At end of session'.

Answer 4

I use Apache httpd over HTTPS, set session.cookie_httponly = 1 & session.cookie_secure = 1 works for me.

Answer 5

If you are using Apache, try this on your .htaccess

php_value session.cookie_httponly 1

Answer 6

Using .htaccess for this purpose just slows down your application.

I think its better to add this snippet in your main config file ( example config.php ) or main include file ( example global.php )

    // Prevents javascript XSS attacks aimed to steal the session ID
    ini_set('session.cookie_httponly', 1);

    // Prevent Session ID from being passed through  URLs
    ini_set('session.use_only_cookies', 1);

If you are using https:// instead of http:// , then also do

     // Uses a secure connection (HTTPS) 
     ini_set('session.cookie_secure', 1); 

This method is also suitable for thos who dont have access to php.ini