This is an archived copy of the forum for reference purposes

Remove Set-Cookie on dynamically generated CSS/JS?

posted by audvare 8 years ago

When I use the Audits section in Chrome/Safari, I get the following message regarding a page that does what the code shows.

#!text/html
The following publicly cacheable resources contain a Set-Cookie header. This security vulnerability can cause cookies to be shared by multiple users.

    header('Content-type: text/css');
    header('Cache-Control: max-age=1209600'); // 2 weeks
    header('Pragma: ');
    $lastModified = gmdate('D, d M Y H:i:s', filemtime($_SERVER['SCRIPT_FILENAME'])).' GMT';
    header('Last-Modified: '.$lastModified);
    $etag = md5_file($_SERVER['SCRIPT_FILENAME']);
    header('Etag: '.$etag);

    $ifModified = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified;
    $ifNone = isset($_SERVER['HTTP_IF_NONE_MATCH']) && trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag;
    if ($ifModified || $ifNone) {
      header('HTTP/1.1 304 Not Modified');
      exit;
    }

 // print combined CSS or JS
exit;

What should I do here to completely remove cookies from these resources to stop this message (and close a potential hole)?

Have you tried just setting it to a blank value?

header('Set-Cookie: ');

posted by wbond 8 years ago

Tried that. No effect. Not too worried at the moment because eventually all generated CSS/JS will go to a CDN anyway and then that error (if they have it, unlikely) is their problem.

posted by audvare 8 years ago

Think I figured it out. It's a setting (maybe settable at runtime?) in php.ini:

#!text/html
session.cookie_httponly = 1

By default, it's off. http://php.net/session.cookie-httponly

posted by audvare 8 years ago