Zend Framework, Sessions, and HttpOnly

Question

I want to make my session cookie HttpOnly. Based on this article, I added this to my application.ini:

resources.session.cookie_httponly = true

Unfortunately, when I look at the session cookie in Firecookie, it is not marked as HttpOnly as I have specified. What step am I missing?

alt text

"when I look at the session cookie in Firecookie, it is not marked as HttpOnly" --- how exactly cookie should be marked? What did you expect to see there? — zerkms, Dec 16 '10 at 15:01
`HttpOnly` **is** a step to protect from XSS: http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html — Sonny, Dec 16 '10 at 15:08
@Sonny: it is a step to protect against cookies hijacking, not xss. XSS is just a way to send the cookies, and `HttpOnly` is the option that does not allow you to read cookies from js. So it protects cookie from being readed in js. There is no connection between XSS and `HttpOnly`. — zerkms, Dec 16 '10 at 15:15
FTA: "HttpOnly cookies are a great idea, and properly implemented, make huge classes of common XSS attacks much harder to pull off." — Sonny, Dec 16 '10 at 15:17
@Sonny: omg... `HttpOnly` protects from cookie being read. Without this option your site is not more XSS vulnerable. — zerkms, Dec 16 '10 at 15:19
Why are you being argumentative rather than helpful? This is not the only step I take for security, I just want to use all available tools. — Sonny, Dec 16 '10 at 15:22
@Sonny: I just corrected you, because your phrase "I want to make my session cookie HttpOnly to reduce XSS vulnerabilities" is just wrong and I do care of future not-experienced readers who will follow your words. — zerkms, Dec 16 '10 at 15:29
Well, on-topic now: Have you looked at the response headers? — zerkms, Dec 16 '10 at 15:30
When I look at the Response and Request headers in Firebug, I can see a Set-Cookie line that specifies HttpOnly, but this is for a cookie other than my session cookie. Firecookie shows an HttpOnly column, and the cookie I am specifying HttpOnly is marked as such, but my session is not. I don't know where else to look. — Sonny, Dec 16 '10 at 15:39
if it helps, removing the PHP session cookie and starting the session again is the first test for testing. Mine worked with only the ini setting — almaruf, Apr 10 '19 at 10:05

Poelinca Dorin · Accepted Answer · 2012-06-13T13:55:35.810

11

Try at bootstrap to do Zend_Session::setOptions(array('cookie_httponly' => true)); ( somewhere before the session is first initialized ) tough it should work with the app.ini file too .

edited Jun 13 '12 at 13:55

answered Dec 16 '10 at 16:01

Poelinca Dorin

9,577
2
39
43

This works. I wish I could figure out why it's not reading from `application.ini`. – Sonny Dec 16 '10 at 16:28
will have a look and let you know if i find something . – Poelinca Dorin Dec 16 '10 at 16:37
2

Use `Zend_Session::setOptions(array('cookie_httponly' => true));` instead of `Zend_Session::setOptions(array('cookie_httponly', true))`; – Serge Kuharev Jun 13 '12 at 08:34

score 7 · Answer 2 · answered Aug 13 '12 at 14:09

7

Add this to your application.ini file.

phpSettings.session.cookie_httponly = true

answered Aug 13 '12 at 14:09

arturgrigor

9,361
4
31
31

score 1 · Answer 3 · answered Apr 27 '13 at 10:25

For this to be 100% safe.

The server should not allow the option http trace. The http option trace reports the session id. If a attacker can inject a java applet, flash or javascript with ajax the attacker can also steal cookies even with the httponly flag set...

Zend Framework, Sessions, and HttpOnly

3 Answers3