I know this has been asked before but I needed some clarification and confirmation. I've been told when creating cookies, to use httponly to prevent XSS.
So my clarification is if I use httponly, will my php scripts accessed via ajax request still be able to determine my active php session (default: phpssessid) and retrieve my $_SESSION variables?
The thing is I didn't design with httponly option and I'm concerned if adding that option will in any way affect the design of the script.
Thanks!
I'm not sure I get the question, but here's a stab: you'd need to setup the session the same way on the script you're calling from ajax as you did on your main page. For example, I have a single file I "include" in my main page, and anything I call from that page using ajax.
so, the top of my index.php has
<?php include "db.php"; ?><!DOCTYPE...
same thing on the top of my ajax_helper.php file
<?php include "db.php"; ?>
the db.php file contains the mysql startup commands, session_start, and anything else that would be common to all pages on the site. That way, the session works anywhere.
I hope that makes sense and answers your question