The HttpOnly cookie attribute tells the browser to prevent client-side scripts from reading cookies with the attribute, and its use can go a long way to defending against Cross-Site Scripting (XSS) attacks. Thus, as a precaution, the attribute should be set by default on all cookies set server-side, such as session id cookies.

Setting the attribute can be done either programmatically, or globally via configuration files.

This rule raises an issue:

Noncompliant Code Example

; php.ini
session.cookie_httponly=false  ; Noncompliant; explicitly set to false

// file.php
setcookie($name, $value, $expire, $path, $domain, $secure, false);  // Noncompliant; explicitly set to false

See