HTTP Only cookies without PHP 5.2

HTTP Only cookies without PHP 5.2
by Matt Mecham
on September 12, 2006
For a while, Microsoft have had a flag
for cookies called ‘httponly’. This doesn’t sound particularly
exciting, but it is a vital step forward for web application security.
This flag tells Internet Explorer to make this cookie ‘invisible’ to
javascript (and other scripting languages) which means that an XSS
attack will no longer be able to steal your sensitive cookies.
The problem is that ‘http only’ support has only just been added into PHP 5.2
. This makes this feature unavailable to most webservers.
However, there appears to be a way to force this flag to be written
regardless of your PHP version by simply adding “; HttpOnly” at the end
of the domain name when setting the cookie. PHP’s “setcookie” function
merely formats the data into a “set-cookie” header. Fortunately, PHP
doesn’t appear to filter out or escape the semi-colon so it’s added to
the end of the “set-cookie” request.
if ( PHP_VERSION < 5.2 )
{
  @setcookie( $name, $value, $expires, $path, $domain. '; HttpOnly' );
}
else
{
  @setcookie( $name, $value, $expires, $path, $domain, NULL, TRUE );
}
I've tested this out and it appears to work fine. IE7 shows the
"sensitive" cookie data in the document.cookie string without adding
the flag. Adding the flag onto the domain string causes the sensitive
cookies to disappear from the document.cookie string.
Firefox ignores it and sets cookies as does Safari and Opera. I'll
do some more testing and report in on my findings. I also have a
Firefox friendly version to stop access to the document.cookie which
I'll post up tomorrow.
UPDATE 14th September
I've downloaded the source to PHP 5 to make confirm that this 'hack'
will work across different platforms. The source code confirms that no
cleaning takes place on