Scott MacVicar wrote:
>  Hi,
>  
>  After we recently experienced an XSS through what can only be described 
>  as IE's shocking attempt at determining the mime type from the data and 
>  ignoring what the server sent we decided to look into implementing 
>  HTTP-only cookies. We know it's not a solution for preventing XSS, but 
>  adding this would complicate the process for those wanting to exploit 
>  any discovered problems before they are rectified.
>  
>  HTTP-only is a feature in IE 6 SP1, Opera, Safari and KDE to allow the 
>  setting of cookies that will only be sent via HTTP headers and never 
>  accessible via client side scripting.
>  
>  Ref: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
>  
>  Iâ??ve added the flags for setcookie and setrawcookie. There is also 
>  support for the session system as well included.

+1

-- 

Brian Moon
-------------
http://dealnews.com/
Its good to be cheap =)

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php