Seems like a little something slipped under the radar in the latest release of everyone’s favorite browser (Firefox 184.108.40.206) – the introduction of httpOnly cookies. I know it’s not supported across the board, but it’s a step in the right direction.
As Alex mentions and includes a code snippet for, it’s as easy as setting a “httpOnly” parameter when creating the cookie to get it to work correctly.
What are httpOnly cookies? Well, the simple answer is that they protect your information in the cookie by making it inaccessible once they’ve been set so as to not allow other sites (or even the site that set it) to get at it. It can only be used when accessed by a HTTP request and *not* a script request.
Also, happily, PHP allows this to be set right along with the other parameters in setcookie as supported in PHP 5.2. No better time to upgrade, eh?