[ciapug] HttpOnly cookies to prevent XSS
Eric Junker
eric at eric.nu
Tue Sep 2 14:27:04 CDT 2008
I came across this information and thought some of you might be interested.
If you use cookies for authentication you should be aware of the
HttpOnly flag for cookies. When this flag is set on cookies it makes the
cookie 'invisible' to javascript which means XSS attacks can not steal
your cookies. Not all browsers support HttpOnly but IE7 and FF3 support
it. If you are using PHP 5.2 or later setcookie() has support for
HttpOnly otherwise you can set the flag manually by using header().
http://www.codinghorror.com/blog/archives/001167.html
http://blog.mattmecham.com/2006/09/12/http-only-cookies-without-php-52/
Eric
More information about the ciapug
mailing list