Comments on: HTTP Only cookies without PHP 5.2

By: Jen

Jen — Tue, 16 Aug 2011 18:57:17 +0000

In answer to my question above if it helps anyone for future, I was able to solve the issue with:

@setcookie( $name, $value, $expires, $path, $domain . ‘secure; HttpOnly’ );

By: Jen

Jen — Tue, 16 Aug 2011 15:17:26 +0000

Regarding your if version lower than 5.2 method …
have you found a way to set both the httpOnly and the secure flag? This code appears to be just what I’ve been looking for and works great, however, it seems i can only set httpOnly OR secure, not both using this method. I would prefer to set both and am running 5.1.6.

Thanks in advance,
Jen

By: Jet

Jet — Sun, 29 Apr 2007 16:41:53 +0000

@Matt: thanks for the tips, I just applied your suggestion to my IPB’s setcookie function, as it will take months to see PHP 5.2 coming.

By: dgx

dgx — Wed, 06 Dec 2006 09:24:00 +0000

ups… my mistake. PHP_VERSION must be something like ’5.10.1′ to see difference.

By: dgx

dgx — Wed, 06 Dec 2006 09:14:23 +0000

Matt, you should use version_compare(). When PHP_VERSION is ’5.2.1′, the comparsion PHP_VERSION < 5.2 returns FALSE.

By: Matt

Matt — Thu, 14 Sep 2006 17:04:03 +0000

I’ve updated my original blog post. I’ve had a dig around in the PHP source.

By: Matt

Matt — Thu, 14 Sep 2006 16:53:48 +0000

This reminds me, it would be nice to be able to send custom fields to the setcookie() function like one can with mail() – it would future proof PHP against changes in cookie syntax.

By: Matt

Matt — Thu, 14 Sep 2006 16:51:52 +0000

I was surprised too. I can only assume they didn’t consider they needed to clean the domain name as no valid domain name allows for a semi-colon.

By: Kier Darby

Kier Darby — Thu, 14 Sep 2006 16:42:51 +0000

In the absense of PHP 5.2 and its native HttpOnly support, we are actually rolling our own cookies using header() calls, as you may have seen. Your hack of the setcookie() function is nice, I’m surprised PHP doesn’t clean for the semi-colon, but there we go.

I’ll be interested to see how you’ve tackled the Firefox issue.

By: Matt

Matt — Thu, 14 Sep 2006 16:01:44 +0000

I know that it was Scott that wrote the little patch for PHP.

The great thing is that you don’t need it — or at very least, don’t need to wait for PHP 5.2

I’m going to post up my Firefox version later today that you may want to consider using too.