How can I set the cookies in my PHP apps as HttpOnly cookies?

Serving Quarantine period
  • 66,345
  • 10
  • 43
  • 85
Scott Warren
  • 959
  • 1
  • 8
  • 5
  • http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies Has the browser support info. – Kzqai Nov 19 '12 at 17:00
  • 2
    @Tchalvak No, the current answers are still authoritative. Nothing has changed since 2008 regarding HTTP-only cookie setting in PHP. _Which browsers support HTTP-only cookies_ is a different question, with a different answer. – lanzz Nov 22 '12 at 10:11
  • You may use `$cookie->setHttpOnly(true);` with https://github.com/delight-im/PHP-Cookie – caw Jul 12 '16 at 23:44

10 Answers10


For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on

This can also be set within a script, as long as it is called before session_start().

ini_set( 'session.cookie_httponly', 1 );
  • 1,188
  • 18
  • 29
  • 2,349
  • 2
  • 17
  • 21
  • 9
    +1 as this is a good thing (for security) to have in place on your entire server but instead added to the `php.ini`. – Anthony Hatzopoulos Nov 23 '12 at 16:10
  • 10
    Please note php_flag should be used instead: "Don't use php_value to set boolean values. php_flag should be used instead." http://php.net/manual/en/configuration.changes.php – Ondrej Machulda Oct 13 '13 at 13:23
  • @OndrejMachulda Changing `php_value` to `php_flag` doesn't work. I just tried it on my server.. – Nate Dec 28 '13 at 16:20
  • 6
    @Nate: When changing to `php_flag`, you must change also the value - to either `on` or `off` - see the manual. – Ondrej Machulda Dec 29 '13 at 11:49
  • For your cookies, see this answer.
  • For PHP's own session cookie (PHPSESSID, by default), see @richie's answer

The setcookie() and setrawcookie() functions, introduced the httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

Function syntax simplified for brevity

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

In PHP < 8, specify NULL for parameters you wish to remain as default.

In PHP >= 8 you can benefit from using named parameters. See this question about named params.

setcookie( $name, $value, httponly:true )

It is also possible using the older, lower-level header() function:

header( "Set-Cookie: name=value; httpOnly" );

You may also want to consider if you should be setting the secure parameter.

  • 32,898
  • 19
  • 70
  • 85
  • 4
    With PHP 8's named parameters, we'll finally be able to make the `set_cookie` call less verbose if we don't need to set the other parameters. For example `set_cookie($name, $value, httponly: true)`. – Sygmoral Aug 30 '20 at 15:36
  • on PHP 7.3.0, we can use array. `setcookie("name", "value", ['httponly' => true]);` – Dian Apr 25 '21 at 09:43

Note that PHP session cookies don't use httponly by default.

To do that:

$sess_name = session_name();
if (session_start()) {
    setcookie($sess_name, session_id(), null, '/', null, null, true);

A couple of items of note here:

  • You have to call session_name() before session_start()
  • This also sets the default path to '/', which is necessary for Opera but which PHP session cookies don't do by default either.
  • 12
    http://php.net/manual/en/function.session-set-cookie-params.php It can be done automatically via the above PHP function instead of custom coding. – Ryaner Nov 14 '10 at 11:28

Be aware that HttpOnly doesn't stop cross-site scripting; instead, it neutralizes one possible attack, and currently does that only on IE (FireFox exposes HttpOnly cookies in XmlHttpRequest, and Safari doesn't honor it at all). By all means, turn HttpOnly on, but don't drop even an hour of output filtering and fuzz testing in trade for it.

  • 8,781
  • 3
  • 20
  • 13
  • 13
    This situation may have changed since '08, now. Here is a more current/updated list: http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies – Kzqai Nov 19 '12 at 16:59
//None HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, FALSE); 

//HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 



  • 54,363
  • 28
  • 121
  • 143

Explanation here from Ilia... 5.2 only though

httpOnly cookie flag support in PHP 5.2

As stated in that article, you can set the header yourself in previous versions of PHP

header("Set-Cookie: hidden=value; httpOnly");
  • 22,484
  • 19
  • 56
  • 73

You can specify it in the set cookie function see the php manual

setcookie('Foo','Bar',0,'/', 'www.sample.com'  , FALSE, TRUE);
  • 10,022
  • 5
  • 47
  • 64

You can use this in a header file.

// setup session enviroment

This way all future session cookies will use httponly.

  • Updated.
  • 133
  • 1
  • 6

The right syntax of the php_flag command is

php_flag  session.cookie_httponly On

And be aware, just first answer from server set the cookie and here (for example You can see the "HttpOnly" directive. So for testing delete cookies from browser after every testing request.

  • 139
  • 5

A more elegant solution since PHP >=7.0

session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);


session_start options

  • 31
  • 2