(Taken from a job interview)

Which of the following answers are correct ?

• Use the httponly parameter when setting the cookie
• The user must turn off Javascript support
• It's a cookie setting in the browser
• Only the issuing domain can access the cookie
• One is on the client and the other is on the server, so it's not an issue

(Taken from a job interview)

Which of the following answers are correct ?

• Use the httponly parameter when setting the cookie
• The user must turn off Javascript support
• It's a cookie setting in the browser
• Only the issuing domain can access the cookie
• One is on the client and the other is on the server, so it's not an issue

• php
• javascript
• cookies

• You might find $cookie->setHttpOnly($httpOnly) helpful, as found in this standalone library. – caw Commented Sep 21, 2016 at 2:27

4 Answers 4

When the cookie header is set, you can specify httpOnly.

This can be done via PHP's setcookie function:

setcookie ( $name, $value, $expire, $path, $domain, $secure, $httponly )

httpOnly instructs the browser to not allow JS to access the cookie.

The correct answer is the first:

Use the httponly parameter when setting the cookie

This flag prevents (on compatible browsers, almost all, including IE >= 6sp1) the javascript engine on the browser to access cookies with this parameter. You can set this flag for regular cookies with setcookie and for session cookies with session_set_cookie_params.

edited: Support for IE >= 6sp1 instead of IE >= 7

a cookie is client side..... ?

The user must turn off Javascript support - aggressive

Use the httponly parameter when setting the cookie - probably the right answer but as was answered earlier.. there are work-arounds I suppose

Cookies are an HTTP concept, not a PHP concept. PHP can create and modify cookies, but there is no such thing like a "PHP COOKIE". The browser don't care about if the response was generated by PHP, or by Python, or by a perl cgi.

Trying to identify what could be the real question, the possibilities are:

1. The cookie to keep the session id in the browser
2. a cookie sent with setcookie

I bet for the question 1. I understand that the correct question should has been:

"Why the client side using javascript or any other method, its unable to view or modify the information stored in the PHP session?"

Then, the answer is:

"Because, even if the PHP sessions use cookies, this cookies are only used to store the session id, not the content of the session. The content of the session its stored on the server, not in the cookie itself."