Description: ------------ Starting with php 5.2 (according to Ilia's blog) there will be the $httponly-parameter for setcookie/setrawcookie. Since a workaround exists to make httponly also work with php before 5.2 that's where php_compat might come into play. Backgrounds on httponly: http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html

Suggested as setcookie.php. NOTE: untested - please do a quick check in case this is committed. Also please fix/remove the @require. <?php // +----------------------------------------------------------------------+ // | PHP Version 4 | // +----------------------------------------------------------------------+ // | Copyright (c) 1997-2004 The PHP Group | // +----------------------------------------------------------------------+ // | This source file is subject to version 3.0 of the PHP license, | // | that is bundled with this package in the file LICENSE, and is | // | available at through the world-wide-web at | // | http://www.php.net/license/3_0.txt. | // | If you did not receive a copy of the PHP license and are unable to | // | obtain it through the world-wide-web, please send a note to | // | license@php.net so we can mail you a copy immediately. | // +----------------------------------------------------------------------+ // | Author: Stefan Neufeind <neufeind@php.net> | // +----------------------------------------------------------------------+ // // $Id: $ /** * Replace setcookie() * * @category PHP * @package PHP_Compat * @link http://php.net/function.setcookie * @author Stefan Neufeind <neufeind@php.net> * @version $Revision: $ * @internal native support for including httponly-argument as of PHP 5.2.0 * @since PHP 5.2.0 * @require PHP 4.x ??? */ function php_compat_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { // following the idea on Matt Mecham's blog // http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html setcookie($name, $value, $expire, $path, $domain.'; HttpOnly', $secure); } /** * Replace setrawcookie() * * @category PHP * @package PHP_Compat * @link http://php.net/function.setcookie * @author Stefan Neufeind <neufeind@php.net> * @version $Revision: $ * @internal native support for including httponly-argument as of PHP 5.2.0 * @since PHP 5.2.0 * @require PHP 4.x ??? */ function php_compat_setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { // following the idea on Matt Mecham's blog // http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html setrawcookie($name, $value, $expire, $path, $domain.'; HttpOnly', $secure); } if ( PHP_VERSION < 5.2 ) function setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { return php_compat_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) } function setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { return php_compat_setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) } } ?>

I've added the two files for setcookie and setrawcookie. Note: The setrawcookie function should make use of the header function to avoid the values being urlencoded. I'll add this as a todo.