{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 别忘想泡老子 的问题《Session Cookie without HttpOnly flag set》','https://www.manongdao.com/q-1345027.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have joust built a website with a login system. After I've just got ready I have scanned it with Acunetix, but I got the following message:
Session Cookie without HttpOnly flag set Session Cookie without Secure flag set (i guess this is only if I have SSL connection)
So my question would be, that how can I set HttpOnly flag for all my Session data? I'm just using sessions when I log in the users. I'm giving them a session with their userID number and than I'm getting data using that userID.
Is there any simple way that I can set ALL of the session HTTPOnly and secure them, so noone can touch them?
You should check out this excellent site for this question. It comes down to setting it in the sessions-section of your php.ini (or via the appropriate runtime function):
You could also just set the
httponlyflag tofalsewhen you use PHP'ssetcookie:You can either change settings in php.ini, or via
ini_set()calls to changesession.cookie_secureandsession.cookie_httponlyvalues totrue.Alternately, you can use
session_set_cookie_params()before starting your session to get the effect you are looking for.http://us3.php.net/manual/en/function.session-set-cookie-params.php