Thanks to a patch from Scott MacVicar that I've just applied to CVS, PHP 5.2 will have support for httpOnly cookie flag. This neat little feature allows you to mark a newly created cookie as HTTP only, another words inaccessible to browser based scripting languages such as JavaScript. This means it would become far more difficult, if not impossible to steal a user's cookie based session by injecting JavaScript into a page and then using to read cookies.
This flag can be toggled by passing TRUE as the 7th parameter to the setcookie() and the setrawcookie() functions respectively. Ex:
PHP:
<?php
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
?>
The support of the httpOnly flag extends to the session extension as well, where it can be enabled by setting the session.cookie_httponly INI setting to 1. Or passing TRUE as the 5th parameter to the session_set_cookie_params() function.
PHP:
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
Unfortunately, at this time according to my tests no other browser has adopted this rather handy feature, but with the continual increase of XSS attacks, I am sure they'll adopt this concept soon.
For people using PHP 4 and PHP 5.1 you can add this flag yourself by sending cookies manually via the header function and prefixing the ;httpOnly flag to the cookie as shown in the example below:
PHP:
<?php
header("Set-Cookie: hidden=value; httpOnly");
?>