PHP Academy · Lesson

Cookie Security: HttpOnly and Secure Flags

Protect cookies with HttpOnly, Secure, and SameSite attributes.

The HttpOnly Flag

When a cookie has the HttpOnly flag, JavaScript cannot access it via document.cookie, preventing XSS-based session theft.

Setting HttpOnly and Secure

Use the options array form (PHP 7.3+) for clean, readable code.

<?php
setcookie("session_id", $id, [
    "expires"  => time() + 3600,
    "path"     => "/",
    "secure"   => true,
    "httponly" => true,
    "samesite" => "Strict",
]);

All lessons in this course

Starting and Using Sessions
Session Security Best Practices
Setting and Reading Cookies
Cookie Security: HttpOnly and Secure Flags

← Back to PHP Academy