Skip to main content

How can Javascript be prevented from accessing PHP cookie data?

Image
By User


(Taken from a job interview)



Which of the following answers are correct ?



  • Use the httponly parameter when setting the cookie

  • The user must turn off Javascript support

  • It's a cookie setting in the browser

  • Only the issuing domain can access the cookie

  • One is on the client and the other is on the server, so it's not an issue


Source: Tips4allCCNA FINAL EXAM
Labels:

Comments

  1. UserMay 16, 2012 at 10:34 AM

    The correct answer is the first:

    Use the httponly parameter when setting the cookie


    This flag prevents (on compatible browsers, almost all, including IE >= 6sp1) the javascript engine on the browser to access cookies with this parameter. You can set this flag for regular cookies with setcookie and for session cookies with session_set_cookie_params.

    edited: Support for IE >= 6sp1 instead of IE >= 7

    ReplyDelete
  2. UserMay 16, 2012 at 10:34 AM

    First of all, the question its not well formulated.

    Cookies are an HTTP concept, not a PHP concept. PHP can create and modify cookies, but there is no such thing like a "PHP COOKIE". The browser don't care about if the response was generated by PHP, or by Python, or by a perl cgi.

    Trying to identify what could be the real question, the possibilities are:


    The cookie to keep the session id in the browser
    a cookie sent with setcookie


    I bet for the question 1. I understand that the correct question should has been:

    "Why the client side using javascript or any other method, its unable to view or modify the information stored in the PHP session?"

    Then, the answer is:

    "Because, even if the PHP sessions use cookies, this cookies are only used to store the session id, not the content of the session. The content of the session its stored on the server, not in the cookie itself."

    ReplyDelete
  3. UserMay 16, 2012 at 10:34 AM

    When the cookie header is set, you can specify httpOnly.

    This can be done via PHP's setcookie function:

    setcookie ( $name, $value, $expire, $path, $domain, $secure, $httponly )


    httpOnly instructs the browser to not allow JS to access the cookie.

    ReplyDelete
  4. UserMay 16, 2012 at 10:34 AM

    a cookie is client side..... ?

    The user must turn off Javascript support - aggressive

    Use the httponly parameter when setting the cookie - probably the right answer but as was answered earlier.. there are work-arounds I suppose

    ReplyDelete

Post a Comment

Popular posts from this blog

Slow Android emulator

By User
I have a 2.67 GHz Celeron processor, 1.21 GB of RAM on a x86 Windows XP Professional machine. My understanding is that the Android emulator should start fairly quickly on such a machine, but for me it does not. I have followed all instructions in setting up the IDE, SDKs, JDKs and such and have had some success in staring the emulator quickly but is very particulary. How can I, if possible, fix this problem?
30 comments
Read more