php httponly cookies being deleted on browser close

Question

I am working on my sites "remember me" functionality and I am using session_set_cookie_params to keep a session alive even if the user decides to close his or her browser. The problem I have been running into is the browser deletes the cookies even if I set them to be persistent, this only happens when I set the HttpOnly flag on the cookie to true.

Here's some pseucode for what I have in place:

set cookie lifetime for php ini

set garbage collector max lifetime for php ini

determine if the user wants a persistent session or not

set the sessions cookies' time and make sure it's using HttpOnly

start the session

Here is what I currently understand about the function being used, let me know if I am wrong about anything:

• When using session_set_cookie_params set the time to 0 if you want the session to be deleted when the browser is closed.
• Set the time to anything above zero and the session cookie will stay alive for that amount of time.
• Set HttpOnly to true if you don't want the cookie to be accessible via javascript

In this case I definitely do not want the cookies to be accessible via javascript. Did I do anything wrong?

Also let me know if I should add more information, this is my first time asking a question. Thank you.

Answer 1

Alright so I ended up fixing this problem and as it turns out it had nothing to do with the HttpOnly flag. In the end it had to do with setting the persistance of the cookie in the wrong place.

So the problem lied in the fact that when I used setcookie before setting the cookies to be persistent. To solve the problem I simply set the cookie to be persistent before calling the setcookie function.

My apologies for assuming that the error lied with the HttpOnly flag, it was a big assumption that I should not have made.