This flag can be toggled by passing TRUE as the 7th parameter to the setcookie() and the setrawcookie() functions respectively. Ex:
The support of the httpOnly flag extends to the session extension as well, where it can be enabled by setting the session.cookie_httponly INI setting to 1. Or passing TRUE as the 5th parameter to the session_set_cookie_params() function.
ini_set("session.cookie_httponly", 1); // or session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
Unfortunately, at this time according to my tests no other browser has adopted this rather handy feature, but with the continual increase of XSS attacks, I am sure they'll adopt this concept soon.
For people using PHP 4 and PHP 5.1 you can add this flag yourself by sending cookies manually via the header function and prefixing the ;httpOnly flag to the cookie as shown in the example below:
I did some test prior to creating the patch and IE 6 SP1, Opera 9.01 and Konqueror had support. Safari may have support though I'm unaware of how much of KHTML they use.
Firefox currently has a patch but are being cautious in breaking backwards compatibility with the cookie file format.
It should be noted that this doesn't fix XSS attacks and is only useful when the cookies contain sensitive information, an attacker could still insert a script which executes an attack by manipulating the content of a page via the DOM.
Is the cookie specification being amended/revised to add the httpOnly flag, or is this something that one browser developer thought up? In short, I'm just curious to know who developed the idea of httpOnly and who is driving its adoption?
Well, doing a google search brings up a lot about IE, but http://weblogs.mozillazine.org/gerv/archives/2006/07/httponly_for_firefox.html brings up more information. It is a not a standard officially, but I'm sure it will be made one in the far future.
I think that stealing an httpOnly cookie is possible when you have an XSS vulnerability and the web server supports HEAD requests. But of course it is much more difficult to steal the cookie than without httpOnly.
It is also important to note that some browsers do break with this flag, IE on a mac is one notable example.
Not to appear rude - but I was hoping that PHP was becoming LESS of a mess. Why haphazardly add stuff until it's decided how it's going to turn out? I mean, come on, just LOOK at that. Ok, sure, it's a useful addition..it's still ugly as sin.
Firefox 22.214.171.124 have finally support for httponly http://forums.mozillazine.org/viewtopic.php?p=2965188
That's good to see php ready for that flag, of course this is not a 100% xss protection, but anyway, we should do everything possible in case we forgot to escape something.. (even google have xss, that's mean everyone can have)
Now browsers&plugins developers(like flash) must make sure what a cookie with httponly can't be seen by client side scripts.