Cookie httponly accessible when I make ajax php queries?

Question

Hi,

I know this has been asked before but I needed some clarification and confirmation. I've been told when creating cookies, to use httponly to prevent XSS.

So my clarification is if I use httponly, will my php scripts accessed via ajax request still be able to determine my active php session (default: phpssessid) and retrieve my $_SESSION variables?

The thing is I didn't design with httponly option and I'm concerned if adding that option will in any way affect the design of the script.

Thanks!

Answer 1

I'm not sure I get the question, but here's a stab: you'd need to setup the session the same way on the script you're calling from ajax as you did on your main page. For example, I have a single file I "include" in my main page, and anything I call from that page using ajax.

so, the top of my index.php has

<?php include "db.php"; ?><!DOCTYPE...

same thing on the top of my ajax_helper.php file

<?php include "db.php"; ?>

the db.php file contains the mysql startup commands, session_start, and anything else that would be common to all pages on the site. That way, the session works anywhere.

I hope that makes sense and answers your question