Cookie Flags: Secure, HttpOnly, and SameSite
When you work with cookies in PHP, understanding cookie security flags is essential to protect your users. Three key flags—Secure, HttpOnly, and SameSite—play a vital role in defending against common web vulnerabilities. Each flag controls how and when a cookie is sent or accessed, reducing the risk of sensitive data exposure.
set_secure_cookie.php
1234567891011121314151617<?php // Set a cookie with Secure, HttpOnly, and SameSite flags setcookie( "user_token", "abc123secure", [ "expires" => time() + 3600, // 1 hour from now "path" => "/", "domain" => "", // current domain "secure" => true, // only send over HTTPS "httponly" => true, // not accessible via JavaScript "samesite" => "Strict" // only sent for same-site requests ] ); echo "Secure cookie set with Secure, HttpOnly, and SameSite=Strict flags."; ?>
In the code above, you set a cookie named user_token with all three security flags enabled. The Secure flag ensures the cookie is only sent over HTTPS connections, protecting it from being intercepted on unencrypted networks. The HttpOnly flag prevents JavaScript on the page from accessing the cookie, blocking many cross-site scripting (XSS) attacks. The SameSite flag, set to "Strict", tells browsers to only send the cookie for requests originating from the same site, reducing the risk of cross-site request forgery (CSRF).
Each flag contributes to a layered defense:
- Secure: only transmits the cookie over encrypted HTTPS connections;
- HttpOnly: hides the cookie from client-side scripts;
- SameSite: restricts when the browser sends the cookie, controlling cross-site transmission.
If you omit these flags, your cookies may be exposed to various attacks. Consider what happens when you set a cookie without these protections.
set_insecure_cookie.php
123456<?php // Set a cookie without Secure, HttpOnly, or SameSite flags setcookie("user_token", "abc123insecure", time() + 3600); echo "Insecure cookie set without Secure, HttpOnly, or SameSite flags."; ?>
Comparing the two approaches, cookies set with all three flags are much better protected. The first example ensures cookies are only sent over secure channels, hidden from scripts, and limited to same-site requests. The second example leaves cookies exposed to interception, script access, and cross-site attacks. Always use these flags for any cookie that stores sensitive or authentication-related data.
¡Gracias por tus comentarios!
Pregunte a AI
Pregunte a AI
Pregunte lo que quiera o pruebe una de las preguntas sugeridas para comenzar nuestra charla
Can you explain what happens if I don't use these security flags?
What are some real-world attacks that these flags help prevent?
Can you show how to set these flags in PHP code?
Genial!
Completion tasa mejorada a 8.33Cookie Flags: Secure, HttpOnly, and SameSite
Desliza para mostrar el menú
When you work with cookies in PHP, understanding cookie security flags is essential to protect your users. Three key flags—Secure, HttpOnly, and SameSite—play a vital role in defending against common web vulnerabilities. Each flag controls how and when a cookie is sent or accessed, reducing the risk of sensitive data exposure.
set_secure_cookie.php
1234567891011121314151617<?php // Set a cookie with Secure, HttpOnly, and SameSite flags setcookie( "user_token", "abc123secure", [ "expires" => time() + 3600, // 1 hour from now "path" => "/", "domain" => "", // current domain "secure" => true, // only send over HTTPS "httponly" => true, // not accessible via JavaScript "samesite" => "Strict" // only sent for same-site requests ] ); echo "Secure cookie set with Secure, HttpOnly, and SameSite=Strict flags."; ?>
In the code above, you set a cookie named user_token with all three security flags enabled. The Secure flag ensures the cookie is only sent over HTTPS connections, protecting it from being intercepted on unencrypted networks. The HttpOnly flag prevents JavaScript on the page from accessing the cookie, blocking many cross-site scripting (XSS) attacks. The SameSite flag, set to "Strict", tells browsers to only send the cookie for requests originating from the same site, reducing the risk of cross-site request forgery (CSRF).
Each flag contributes to a layered defense:
- Secure: only transmits the cookie over encrypted HTTPS connections;
- HttpOnly: hides the cookie from client-side scripts;
- SameSite: restricts when the browser sends the cookie, controlling cross-site transmission.
If you omit these flags, your cookies may be exposed to various attacks. Consider what happens when you set a cookie without these protections.
set_insecure_cookie.php
123456<?php // Set a cookie without Secure, HttpOnly, or SameSite flags setcookie("user_token", "abc123insecure", time() + 3600); echo "Insecure cookie set without Secure, HttpOnly, or SameSite flags."; ?>
Comparing the two approaches, cookies set with all three flags are much better protected. The first example ensures cookies are only sent over secure channels, hidden from scripts, and limited to same-site requests. The second example leaves cookies exposed to interception, script access, and cross-site attacks. Always use these flags for any cookie that stores sensitive or authentication-related data.
¡Gracias por tus comentarios!
