mirror of
https://github.com/delight-im/PHP-Auth.git
synced 2025-07-10 19:16:22 +02:00
Document 'httponly' cookie attribute and how to change it in README
This commit is contained in:
23
README.md
23
README.md
@ -83,6 +83,7 @@ Migrating from an earlier version of this project? See our [upgrade guide](Migra
|
||||
* [Renaming the library’s cookies](#renaming-the-librarys-cookies)
|
||||
* [Defining the domain scope for cookies](#defining-the-domain-scope-for-cookies)
|
||||
* [Restricting the path where cookies are available](#restricting-the-path-where-cookies-are-available)
|
||||
* [Controlling client-side script access to cookies](#controlling-client-side-script-access-to-cookies)
|
||||
* [Utilities](#utilities)
|
||||
* [Creating a random string](#creating-a-random-string)
|
||||
* [Creating a UUID v4 as per RFC 4122](#creating-a-uuid-v4-as-per-rfc-4122)
|
||||
@ -984,6 +985,28 @@ You can change the attribute through one of the following means, in order of rec
|
||||
|
||||
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
|
||||
|
||||
#### Controlling client-side script access to cookies
|
||||
|
||||
Using the `httponly` attribute, you can control whether client-side scripts, i.e. JavaScript, should be able to access your cookies or not. For security reasons, it is best to *deny* script access to your cookies, which reduces the damage that successful XSS attacks against your application could do, for example.
|
||||
|
||||
Thus, you should always set `httponly` to `1`, except for the rare cases where you really need access to your cookies from JavaScript and can’t find any better solution. In those cases, set the attribute to `0`, but be aware of the consequences.
|
||||
|
||||
You can change the attribute through one of the following means, in order of recommendation:
|
||||
|
||||
* In the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`), find the line with the `session.cookie_httponly` directive and change its value as desired, e.g.:
|
||||
|
||||
```
|
||||
session.cookie_httponly = 1
|
||||
```
|
||||
|
||||
* As early as possible in your application, and before you create the `Auth` instance, call `\ini_set` to change the value of the `session.cookie_httponly` directive as desired, e.g.:
|
||||
|
||||
```php
|
||||
\ini_set('session.cookie_httponly', 1);
|
||||
```
|
||||
|
||||
For this to work, `session.auto_start` must be set to `0` in the [PHP configuration](http://php.net/manual/en/configuration.file.php) (`php.ini`).
|
||||
|
||||
### Utilities
|
||||
|
||||
#### Creating a random string
|
||||
|
Reference in New Issue
Block a user