I have joust built a website with a login system. After I've just got ready I have scanned it with Acunetix, but I got the following message:

Session Cookie without HttpOnly flag set Session Cookie without Secure flag set (i guess this is only if I have SSL connection)

So my question would be, that how can I set HttpOnly flag for all my Session data? I'm just using sessions when I log in the users. I'm giving them a session with their userID number and than I'm getting data using that userID.

Is there any simple way that I can set ALL of the session HTTPOnly and secure them, so noone can touch them?

I have joust built a website with a login system. After I've just got ready I have scanned it with Acunetix, but I got the following message:

Session Cookie without HttpOnly flag set Session Cookie without Secure flag set (i guess this is only if I have SSL connection)

So my question would be, that how can I set HttpOnly flag for all my Session data? I'm just using sessions when I log in the users. I'm giving them a session with their userID number and than I'm getting data using that userID.

Is there any simple way that I can set ALL of the session HTTPOnly and secure them, so noone can touch them?

• php
• javascript
• apache
• security

3 Answers 3

You can either change settings in php.ini, or via ini_set() calls to change session.cookie_secure and session.cookie_httponly values to true.

Alternately, you can use session_set_cookie_params() before starting your session to get the effect you are looking for.

https://www.php/manual/en/function.session-set-cookie-params.php

You should check out this excellent site for this question. It es down to setting it in the sessions-section of your php.ini (or via the appropriate runtime function):

session.cookie_httponly = True

You could also just set the httponly flag to false when you use PHP's setcookie:

// params: name, value, expiration, path, domain, secure, http-only
setcookie('session-cookie-key', 'data', 0, '/', 'example.', true, false);