1
0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-07-10 19:16:22 +02:00

Document 'httponly' cookie attribute and how to change it in README

This commit is contained in:
Marco
2017-10-21 22:30:41 +02:00
parent 70a905afd7
commit 2ded232d8e

View File

@ -83,6 +83,7 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
* [Renaming the librarys cookies](#renaming-the-librarys-cookies)
* [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies)
* [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available)
* [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies)
* [Utilities](#utilities)
* [Creating a random string](#creating-a-random-string)
* [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122)
@ -984,6 +985,28 @@ You can change the attribute through one of the following means, in order of rec
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
#### Controlling client-side script access to cookies
Using the `httponly` attribute, you can control whether client-side scripts, i.e. JavaScript, should be able to access your cookies or not. For security reasons, it is best to *deny* script access to your cookies, which reduces the damage that successful XSS attacks against your application could do, for example.
Thus, you should always set `httponly` to `1`, except for the rare cases where you really need access to your cookies from JavaScript and cant find any better solution. In those cases, set the attribute to `0`, but be aware of the consequences.
You can change the attribute through one of the following means, in order of recommendation:
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_httponly` directive and change its value as desired, e.g.:
```
session.cookie_httponly = 1
```
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_httponly` directive as desired, e.g.:
```php
\ini_set('session.cookie_httponly', 1);
```
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
### Utilities
#### Creating a random string