Zend Framework 1: Setting Session Cookie to Http-Only is not working

Question

So, at this very old project where there is still ZF1 running, we tried to put the http-only flag of the session-cookie to TRUE.

We already have this line in the application.ini: phpSettings.session.cookie_httponly = true

Then we went to the Session.php of the Framework itself. In line 106, there's the setting for cookie_httponly , as seen here: https://github.com/zendframework/zf1/blob/master/library/Zend/Session.php

Instead of null , we tried 'On' , 'on' and even true . We even set a breakpoint in line 205, and it went into the if-block during runtime.

And yet, no matter how many times we delete the session cookie in the browser, there is NO flag shown under HttpOnly when the cookie is created again.

We also have Zend_Session::setOptions(array('cookie_httponly' => true)); in the code, as seen here in the index.php:

[...]
/** Zend_Application */
require_once 'Zend/Application.php';

// Create application, bootstrap, and run
$application = new Zend_Application(
    APPLICATION_ENV,
    APPLICATION_PATH . '/configs/application.ini'
);

Zend_Session::setOptions(array('cookie_httponly' => true));

$application->bootstrap('frontend')
        ->run();

We got no clue what else we should try.

Answer 1

I found a method that has been written by some ex-developer, where setcookie is used to create that session cookie. The one parameter named httponly was not set (standard value is false ), after I set it to true , it finally worked.

So no matter what I tried (even tried Rob's suggestions, as seen above), it was this one line that had to be editet.