HttpOnly
attribute PHP-A1003HttpOnly
only flag15
16 public function setUser(string|array|string $data): void
17 {
18 setcookie('user_name', $data['name'], [19 'expires' => time() + 3600,
20 'url' => 'https://example.com',
21 ]);
Cookies set without the httponly
flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.
By default, setcookie
and setrawcookie
function creates cookie with httponly
value to false
. It is recommended to explicitly set httponly
to true
to prevent the risk.
In past it has led to vulnerabilities like:
Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly
attribute is set to true
, it won't be possible to exploit the XSS vulnerability to steal application cookies.