PHP 5.2 to get HttpOnly!

Ilia has just blogged that HttpOnly is now supported in PHP 5.2.

This prevents the usual sort of basic XSS attacks, like:

Supported browsers:

  • IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks)
  • IE 7.0 – prevents reading and writing – safest
  • Safari 1.3 – not support (update)
  • Opera 8 and later – not supported (update)
  • Mozilla – not supported
  • Firefox – not supported
  • IE 5.x for Mac – will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly

There is a potential solution for Firefox’s and Mozilla’s lack of support.

Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!

Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.

Published by


Just another security geek

2 thoughts on “PHP 5.2 to get HttpOnly!”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>