Home  >  Article  >  Backend Development  >  Detailed explanation of the HTTPONLY attribute method of setting Cookie in PHP

Detailed explanation of the HTTPONLY attribute method of setting Cookie in PHP

黄舟
黄舟Original
2017-03-07 09:50:254136browse

The following editor will bring you an article on how to set the HTTPONLY attribute of Cookie in PHP. The editor thinks it is quite good, so I will share it with you now and give it as a reference for everyone. Let’s follow the editor to take a look.

httponly is an extension made by Microsoft to cookies. This is mainly to solve the problem that users’ cookies may be stolen.

As we all know, when we log in to our mailbox or forum, the server will write some cookies to our browser. When we visit other pages next time, the browser will automatically transfer the cookie, so this is achieved Once you log in, you can see all the content that you need to log in to see. In other words, in essence, all login statuses are based on cookies! Assuming that the cookies we log in are obtained by others, there is a risk of exposing personal information! Of course, think about it, how can anyone else get the customer's cookies? That must be a malicious person's program running in the browser! If it is rogue software that is flying all over the world now, there is no way. httponly is not used to solve this situation. It is used to solve the problem of JavaScript accessing cookies in the browser. Just imagine, a flash program running in your browser can get your cookies!

SP1 of IE6 has support for httponly, so it is relatively safe.

Settings in PHP

PHP5.2 and above already support the setting of HttpOnly parameters, and also support global HttpOnly Settings, in php.ini
---------------------------------------- -------------
session.cookie_httponly =
-------------------------- --------------------------

Set its value to 1 or TRUE to enable the global Cookie HttpOnly attribute, of course It is also supported to be turned on in the code:

<?php ini_set("session.cookie_httponly", 1); 
 // or session_set_cookie_params(0, NULL, NULL, NULL, TRUE); 
?>

Cookie operation function setcookie function and setrawcookie function also specifically add a seventh parameter as an HttpOnly option. The opening method is:

<?php
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
?>

For versions before PHP5.1 and PHP4, you need to work around it through the header function:

<?php 
header("Set-Cookie: hidden=value; httpOnly"); 
?>

The above is the detailed explanation of the HTTPONLY attribute method of setting cookies in PHP. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn