Daniel R
Reputation: 75
Mixing ordinary and httponly cookies
I am using PHP setcookie to set ordinary cookies, then later setting one with httponly. It seems this does not work. The setcookie function returns success but the cookie is not set in $_COOKIE.
Is it possible to mix ordinary and httponly cookies?
UPDATE
Yes, it works.
Thanks Rudi.
Upvotes: 1
Views: 238
Answers (1)
Rudi Visser
Reputation: 21969
As noted in comments, mixing non-httponly and httponly cookies is not a problem at all if you're reading them by PHP, because PHP obviously needs a HTTP request to be processed and so will receive the cookie as usual, regardless of it's HttpOnly flag.
The following test case can prove this (open, and refresh):
<?php
echo '<pre>';
var_dump($_COOKIE);
echo '</pre>';
setcookie('TestNonHttpOnly', 'True', time() + 3600, '/', '.example.com', false, false);
setcookie('TestHttpOnly', 'True', time() + 3600, '/', '.example.com', false, true);
Upvotes: 1
Related Questions
- How do you set up use HttpOnly cookies in PHP
- Insecure HTTP cookies
- Including httponly in cookies
- How to set cookies HTTPOnly and secure attributes?
- Is http-only cookie safe?
- Is there any reason not to use HttpOnly for all cookies?
- are there implicit cookies created while web navigation? / httpOnly flag
- Cookie without Secure flag and HttpOnly flag set
- PHP cookie handling
- Is there a way to check if a cookie is httponly in PHP