nlopess Fri Aug 11 16:21:54 2006 UTC
Modified files:
/phpdoc/en/reference/session ini.xml
/phpdoc/en/reference/session/functions
session-get-cookie-params.xml
session-set-cookie-params.xml
/phpdoc/en/reference/network/functions setcookie.xml
setrawcookie.xml
Log:
document the new httponly flag in session and setcookie*() stuff
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/session/ini.xml?r1=1.40&r2=1.41&diff_format=u
Index: phpdoc/en/reference/session/ini.xml
diff -u phpdoc/en/reference/session/ini.xml:1.40
phpdoc/en/reference/session/ini.xml:1.41
--- phpdoc/en/reference/session/ini.xml:1.40 Tue Feb 7 16:54:21 2006
+++ phpdoc/en/reference/session/ini.xml Fri Aug 11 16:21:54 2006
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.40 $ -->
+<!-- $Revision: 1.41 $ -->
<section id="session.configuration">
&reftitle.runtime;
&extension.runtime;
@@ -89,6 +89,12 @@
<entry>Available since PHP 4.0.4.</entry>
</row>
<row>
+ <entry>session.cookie_httponly</entry>
+ <entry>""</entry>
+ <entry>PHP_INI_ALL</entry>
+ <entry>Available since PHP 5.2.0.</entry>
+ </row>
+ <row>
<entry>session.use_cookies</entry>
<entry>"1"</entry>
<entry>PHP_INI_ALL</entry>
@@ -166,16 +172,6 @@
<entry>PHP_INI_ALL</entry>
<entry>Available since PHP 4.0.4.</entry>
</row>
-
-<!-- Not yet
- <row>
- <entry>session.encode_sources</entry>
- <entry>"globals</entry>
- <entry>track"</entry>
- <entry></entry>
- </row>
--->
-
</tbody>
</tgroup>
</table>
@@ -508,6 +504,21 @@
</listitem>
</varlistentry>
+ <varlistentry id="ini.session.cookie-httponly">
+ <term>
+ <parameter>session.cookie_httponly</parameter>
+ <type>boolean</type>
+ </term>
+ <listitem>
+ <simpara>
+ Marks the cookie as accessible only through the HTTP protocol. This means
+ that the cookie won't be accessible by scripting languages, such as
+ JavaScript. This setting can effectly help to reduce identity theft
+ through XSS attacks (although it is not supported by all browsers).
+ </simpara>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="ini.session.cache-limiter">
<term>
<parameter>session.cache_limiter</parameter>
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/session/functions/session-get-cookie-params.xml?r1=1.4&r2=1.5&diff_format=u
Index: phpdoc/en/reference/session/functions/session-get-cookie-params.xml
diff -u phpdoc/en/reference/session/functions/session-get-cookie-params.xml:1.4
phpdoc/en/reference/session/functions/session-get-cookie-params.xml:1.5
--- phpdoc/en/reference/session/functions/session-get-cookie-params.xml:1.4
Mon Apr 19 21:24:57 2004
+++ phpdoc/en/reference/session/functions/session-get-cookie-params.xml Fri Aug
11 16:21:54 2006
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.4 $ -->
+<!-- $Revision: 1.5 $ -->
<!-- splitted from ./en/functions/session.xml, last change in rev 1.8 -->
<refentry id="function.session-get-cookie-params">
<refnamediv>
@@ -40,6 +40,12 @@
(This item was added in PHP 4.0.4.)
</simpara>
</listitem>
+ <listitem>
+ <simpara>
+ "httponly" - The cookie can only be accessed through the HTTP protocol
+ (This item was added in PHP 5.2.0).
+ </simpara>
+ </listitem>
</itemizedlist>
</para>
<para>
@@ -47,7 +53,8 @@
<link
linkend="ini.session.cookie-lifetime">session.cookie_lifetime</link>,
<link linkend="ini.session.cookie-path">session.cookie_path</link>,
<link linkend="ini.session.cookie-domain">session.cookie_domain</link>,
- <link linkend="ini.session.cookie-secure">session.cookie_secure</link>,
and
+ <link linkend="ini.session.cookie-secure">session.cookie_secure</link>,
+ <link
linkend="ini.session.cookie-httponly">session.cookie_httponly</link>, and
<function>session_set_cookie_params</function>.
</para>
</refsect1>
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/session/functions/session-set-cookie-params.xml?r1=1.4&r2=1.5&diff_format=u
Index: phpdoc/en/reference/session/functions/session-set-cookie-params.xml
diff -u phpdoc/en/reference/session/functions/session-set-cookie-params.xml:1.4
phpdoc/en/reference/session/functions/session-set-cookie-params.xml:1.5
--- phpdoc/en/reference/session/functions/session-set-cookie-params.xml:1.4
Mon Apr 19 21:24:57 2004
+++ phpdoc/en/reference/session/functions/session-set-cookie-params.xml Fri Aug
11 16:21:54 2006
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.4 $ -->
+<!-- $Revision: 1.5 $ -->
<!-- splitted from ./en/functions/session.xml, last change in rev 1.2 -->
<refentry id="function.session-set-cookie-params">
<refnamediv>
@@ -16,6 +16,7 @@
<methodparam
choice="opt"><type>string</type><parameter>path</parameter></methodparam>
<methodparam
choice="opt"><type>string</type><parameter>domain</parameter></methodparam>
<methodparam
choice="opt"><type>bool</type><parameter>secure</parameter></methodparam>
+ <methodparam
choice="opt"><type>bool</type><parameter>httponly</parameter></methodparam>
</methodsynopsis>
<para>
Set cookie parameters defined in the &php.ini; file. The effect of this
@@ -26,7 +27,8 @@
<note>
<para>
The <parameter>secure</parameter> parameter was added in PHP
- 4.0.4.
+ 4.0.4, while the <parameter>httponly</parameter> parameter was added in
+ PHP 5.2.0.
</para>
</note>
<para>
@@ -34,7 +36,8 @@
<link
linkend="ini.session.cookie-lifetime">session.cookie_lifetime</link>,
<link linkend="ini.session.cookie-path">session.cookie_path</link>,
<link linkend="ini.session.cookie-domain">session.cookie_domain</link>,
- <link linkend="ini.session.cookie-secure">session.cookie_secure</link>,
and
+ <link linkend="ini.session.cookie-secure">session.cookie_secure</link>,
+ <link
linkend="ini.session.cookie-httponly">session.cookie_httponly</link>, and
<function>session_get_cookie_params</function>.
</para>
</refsect1>
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/network/functions/setcookie.xml?r1=1.1&r2=1.2&diff_format=u
Index: phpdoc/en/reference/network/functions/setcookie.xml
diff -u phpdoc/en/reference/network/functions/setcookie.xml:1.1
phpdoc/en/reference/network/functions/setcookie.xml:1.2
--- phpdoc/en/reference/network/functions/setcookie.xml:1.1 Mon Jul 24
11:01:55 2006
+++ phpdoc/en/reference/network/functions/setcookie.xml Fri Aug 11 16:21:54 2006
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.1 $ -->
+<!-- $Revision: 1.2 $ -->
<!-- splitted from ./en/functions/http.xml, last change in rev 1.2 -->
<refentry id="function.setcookie">
<refnamediv>
@@ -16,6 +16,7 @@
<methodparam
choice="opt"><type>string</type><parameter>path</parameter></methodparam>
<methodparam
choice="opt"><type>string</type><parameter>domain</parameter></methodparam>
<methodparam
choice="opt"><type>bool</type><parameter>secure</parameter></methodparam>
+ <methodparam
choice="opt"><type>bool</type><parameter>httponly</parameter></methodparam>
</methodsynopsis>
<para>
<function>setcookie</function> defines a cookie to be sent along
@@ -140,7 +141,20 @@
is &false;.
</entry>
<entry>
- <literal>0</literal> or <literal>1</literal>
+ &true; or &false;
+ </entry>
+ </row>
+ <row>
+ <entry><parameter>httponly</parameter></entry>
+ <entry>
+ When &true; the cookie will be made accessible only through the HTTP
+ protocol. This means that the cookie won't be accessible by
+ scripting languages, such as JavaScript. This setting can effectly
+ help to reduce identity theft through XSS attacks (although it is
+ not supported by all browsers). Added in PHP 5.2.0.
+ </entry>
+ <entry>
+ &true; or &false;
</entry>
</row>
</tbody>
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/network/functions/setrawcookie.xml?r1=1.1&r2=1.2&diff_format=u
Index: phpdoc/en/reference/network/functions/setrawcookie.xml
diff -u phpdoc/en/reference/network/functions/setrawcookie.xml:1.1
phpdoc/en/reference/network/functions/setrawcookie.xml:1.2
--- phpdoc/en/reference/network/functions/setrawcookie.xml:1.1 Mon Jul 24
11:01:55 2006
+++ phpdoc/en/reference/network/functions/setrawcookie.xml Fri Aug 11
16:21:54 2006
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.1 $ -->
+<!-- $Revision: 1.2 $ -->
<!-- splitted from ./en/functions/http.xml, last change in rev 1.2 -->
<refentry id="function.setrawcookie">
<refnamediv>
@@ -16,12 +16,18 @@
<methodparam
choice="opt"><type>string</type><parameter>path</parameter></methodparam>
<methodparam
choice="opt"><type>string</type><parameter>domain</parameter></methodparam>
<methodparam
choice="opt"><type>bool</type><parameter>secure</parameter></methodparam>
+ <methodparam
choice="opt"><type>bool</type><parameter>httponly</parameter></methodparam>
</methodsynopsis>
<para>
<function>setrawcookie</function> is exactly the same as
<function>setcookie</function> except that the cookie value will not
be automatically urlencoded when sent to the browser.
</para>
+ <note>
+ <para>
+ The <parameter>httponly</parameter> parameter was added in PHP 5.2.0.
+ </para>
+ </note>
<para>
See also <function>header</function>, <function>setcookie</function> and
the
<link linkend="features.cookies">cookies section</link>.
