Php – How to set up use HttpOnly cookies in PHP

cookieshttponlyphpsecurityxss

How can I set the cookies in my PHP apps as HttpOnly cookies?

Best Solution

For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on
</IfModule>

This can also be set within a script, as long as it is called before session_start().

ini_set( 'session.cookie_httponly', 1 );