How Can I Force HttpOnly FALSE On Cookies So JavaScript Can Read Them With PHP Cross-Domain?
Question
I need highly promiscuous cookies on X.com because security is not a concern. How can I enforce HttpOnly to be false on cookies made in domain X.com, so that JavaScript on AnyRandomUnexpectedDomain.com can call X.com/readCookie.php and readCookie.php can send back the data in X.com cookies?
readCookie.php has header("Access-Control-Allow-Origin: *") and the nginx web server has Access-Control-Allow-Origin wide open as well. In php.ini session.cookie_httponly = 0, but of course, that is only for sessions, not permanent cookies. With this setup, remote execution calls and AJAX data flow cross-domain are working properly, but the only problem is the $_COOKIE["auth"] call added to readCookie.php returns nothing, even when the auth cookie is created with HttpOnly explicitly set to FALSE, like this:
setcookie("auth",$secret,time()+3600*24*365,"/",null,false,false);
What else is needed in the code, web server, PHP, etc., so that $_COOKIE["auth"] returns the value of the X.com cookie to AnyRandomUnexpectedDomain.com?
1 answers
solution1
1 2015-09-26 14:39:22
I use session_set_cookie_params for setting cookie. This is the code I use.
$session_name = 'somesessionname';
$secure = false; //for https
$httponly = false; //as per use in javascript
if (ini_set('session.use_only_cookies', 1) === FALSE) {
//err=Could not initiate a safe session
exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure, $httponly);
session_name($session_name);
session_start();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.