Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibraryCookies and Browser Interaction

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Advanced Cookie Setting

When a cookie is handed from the server to the browser, or vice versa, the cookie can be encrypted to foil attempts to snoop its contents. That's a secure cookie.

JavaScript can be prevented from loading a cookie into the browser or reading a cookie the browser contains. Only server software and the browser may exchange cookies. That's an httponly cookie (no hyphen in httponly).

The article describes how to set secure cookies and httponly cookies. Both JavaScript and PHP examples are provided.

To learn about the more common fare of setting cookies with directory path and/or expiration values, see these articles:

Additional cookie-related articles are listed in the Cookies and Browser Interaction index.

Advanced Cookie Setting

The cookie setting methods described here are advanced simply because they're not the usual fare. They're easy enough to set. It's just that there's comparatively little how-to information about them available on the internet. So I call them "advanced," as opposed to "usual" or "common."

A secure cookie has its value encrypted during transmission between browser and server. This can happen only over SSL (secure server) connections with web pages at HTTPS URLs. If it's a secure page, secure cookies can be used. Otherwise, not.

The only difference between secure cookies and non-secure cookies is that the cookie's value is encrypted during transmission between browser and server, in either direction. They're not necessarily encrypted at the server or on the user's hard drive.

An httponly cookie can only be set and read by server software with an http connection (or https). That means the cookie can't be set or read by JavaScript. While browsers connect with the server via http or https, browsers aren't server software.

Because only server software can set or read httponly cookies, they can be used to foil JavaScript XSS cross-site scripting attacks to get to them.

A cookie can be both secure and httponly to restrict both transmission and access.

When to Set Secure Cookies

Set a secure cookie to encrypt the cookie's value while in transit between browser and server. When set as a secure cookie, the cookie's value is encrypted for both setting and reading.

As an example of use, a secure cookie may contain a custom-generated login ID or access code sent to the browser at an order form, after which the browser goes to a payment gateway (PayPal, for instance), and back to the merchant's website. The cookie is set at the order form and read when the buyer returns. Both order form and return page need to be at HTTPS URLs in order to set and read the cookie.

Because a secure cookie is secure only during transmission, it is still prudent to never store passwords or other sensitive information located in a secure cookie.

Setting a Secure Cookie

JavaScript

Setting a secure cookie with JavaScript is similar to setting a non-secure cookie.

As an example, this JavaScript will set a secure cookie named "CookieTest" with value "Once upon a time."

<script>
var name = "CookieTest";         // The cookie name.
var value = "Once upon a time."; // The cookie value.
// Now, set the cookie.
document.cookie = name + "=" + escape(value) + "; secure";
</script>

Appending a semi-colon and the word "secure" to the cookie value (; secure) makes it a secure cookie.

However, and note, the cookie will only be set when the browser has a secure HTTPS connection to the web page.

PHP

The difference between setting a secure cookie with PHP and setting a non-secure cookie is providing one additional value to the setcookie() function — the value true in the 6th parameter position (colored blue) in the following example.

To set a secure cookie with PHP that has the same value as the example JavaScript cookie, this will do the job:

setcookie("CookieTest","Once upon a time.",0,"","",true);

As with JavaScript, the cookie will only be set when the browser has a secure HTTPS connection to the web page.

The 0 and null string values in the function call, parameters 3 through 5, relate to expiration, path, and domain values for the cookie. In the example those are all zero or null. See Setting and Viewing Cookies with PHP for more information about setting those values.

When to Set Httponly Cookies

Use an httponly cookie to make the cookie unavailable to JavaScript. The httponly cookie may be read only by software on the server (like a PHP script).

To clarify a perhaps confusing concept when web page source code has both PHP code and JavaScript: The PHP code is run on the server before the page is sent to the browser. After the PHP code has run, then the web page is sent to the browser, after which JavaScript can run. Any JavaScript within the web page can't access the cookie because the browser isn't server software.

One reason to use httponly cookies is to prevent XSS cross-site scripting attacks from getting the cookie value. When it's important that the cookie remain secret from JavaScript, consider using httponly cookies.

Before finalizing the decision to use httponly cookies, consider that JavaScript won't be able to access the information. I know I'm reiterating here. But it's for a different point of view. Consider if, at any time in the future, you may want to use JavaScript to read the cookie.

Setting an Httponly Cookie

JavaScript

Unfortunately, JavaScript can't be used to set an httponly cookie. The HTTP-only restriction applies to setting as well as reading cookies.

A step-by-step guide is outside the scope of this article, but mention is made in case you need to develop the functionality: If httponly cookies need to be set after the web page has been loaded into the browser, it may be done with Ajax that sends the cookie particulars to a PHP script. The PHP script then sets the cookie. Similarly, Ajax and a PHP script can be used to access an httponly cookie's value.

PHP

Setting an httponly cookie with PHP is similar to setting a secure cookie — the secure cookie value being the 6th parameter and the httponly cookie value being in the 7th parameter position (colored blue) in the following example.

To set an httponly cookie with PHP that has the same cookie value as previous examples, this will do the job:

setcookie("CookieTest","Once upon a time.",0,"","",false,true);

Notice that the 6th parameter position in the function call related to secure cookies is specified as false. The position following that is the httponly position, which is specified as true. (The first five parameter positions are described in the Setting and Viewing Cookies with PHP article.)

If the cookie is to be both secure and httponly, the function is:

setcookie("CookieTest","Once upon a time.",0,"","",true,true);

Secure and Httponly

Although secure and httponly cookies are used relatively few times compared to the common fare, when they're needed they're really needed.

Secure cookies can be set and read with both JavaScript and PHP, but only through an SSL internet connection. Httponly cookies can be set and read only with software located on the server, such as PHP.

(This article first appeared in Possibilities ezine.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC