Protecting Your Cookies: HttpOnly

A very good and funny writeup on fighting XSS attacks with HttpOnly cookies. I prefer to set session.cookie_httponly = 1 right in the server's php.ini file (for PHP projects). If a project depends on JavaScript access to cookies, then fix the project and not the other way around. Smile

Syndicate content