如何在Cookie上强制HttpOnly为FALSE，以便JavaScript可以通过PHP跨域读取它们？

Question

I need highly promiscuous cookies on X.com because security is not a concern. How can I enforce HttpOnly to be false on cookies made in domain X.com, so that JavaScript on AnyRandomUnexpectedDomain.com can call X.com/readCookie.php and readCookie.php can send back the data in X.com cookies?

readCookie.php has header("Access-Control-Allow-Origin: *") and the nginx web server has Access-Control-Allow-Origin wide open as well. In php.ini session.cookie_httponly = 0, but of course, that is only for sessions, not permanent cookies. With this setup, remote execution calls and AJAX data flow cross-domain are working properly, but the only problem is the $_COOKIE["auth"] call added to readCookie.php returns nothing, even when the auth cookie is created with HttpOnly explicitly set to FALSE, like this:

setcookie("auth",$secret,time()+3600*24*365,"/",null,false,false);

What else is needed in the code, web server, PHP, etc., so that $_COOKIE["auth"] returns the value of the X.com cookie to AnyRandomUnexpectedDomain.com?

Answer 1

I use session_set_cookie_params for setting cookie. This is the code I use.

 $session_name = 'somesessionname';
    $secure = false;   //for https
    $httponly = false;  //as per use in javascript
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
       //err=Could not initiate a safe session 
        exit();
    }
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
    $cookieParams["path"], 
     $cookieParams["domain"], 
        $secure,   $httponly);
    session_name($session_name);
    session_start();