Scott MacVicar wrote:
Hi,
After we recently experienced an XSS through what can only be described
as IE's shocking attempt at determining the mime type from the data and
ignoring what the server sent we decided to look into implementing
HTTP-only cookies. We know it's not a solution for preventing XSS, but
adding this would complicate the process for those wanting to exploit
any discovered problems before they are rectified.
HTTP-only is a feature in IE 6 SP1, Opera, Safari and KDE to allow the
setting of cookies that will only be sent via HTTP headers and never
accessible via client side scripting.
Ref: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
I’ve added the flags for setcookie and setrawcookie. There is also
support for the session system as well included.
+1
--
Brian Moon
-------------
http://dealnews.com/
Its good to be cheap =)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php