Cookie – What Does Magento Cookie $secure Variable Do?

Could anyone be kind and explain what is the good practice for setting cookies in Magento with:

Mage::getModel(‘core/cookie’)->set($name, $value, $period, $path, $domain, $secure,$httponly);

I am especially interested what the $secure and $httponly do.

Best Answer

Magento uses the default php setcookie function.

secure - Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE, the cookie will only be set if a secure connection exists. On the server-side, it's on the programmer to send this kind of cookie only on secure connection (e.g. with respect to $_SERVER["HTTPS"]).

httponly - When TRUE the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. It has been suggested that this setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers), but that claim is often disputed. Added in PHP 5.2.0. TRUE or FALSE

See /app/code/core/Mage/Core/Model/Cookie.php

public function set($name, $value, $period = null, $path = null, $domain = null, $secure = null, $httponly = null)
{
    .....

    setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);

    return $this;
}

Best Answer

Related Solutions

Admin Login Problems – Correct Settings for Session Cookie Management

Magento 1.9 – How to Set Explicit Cookie Domain and Still Login

Related Topic