• For your cookies, see this answer.
• For PHP's own session cookie(PHPSESSID, by default), see @richie's answer

• 对于您的 cookie，请参阅此答案。
• 对于PHP 自己的会话 cookie（PHPSESSID默认情况下为 ），请参阅@richie 的回答

The setcookie()and setrawcookie()functions, introduced the httponlyparameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax

该setcookie()和setrawcookie()功能，介绍了httponly参数，早在PHP 5.2.0的黑暗时代，使这个漂亮和容易。只需按照语法将第 7 个参数设置为 true

Function syntax simplified for brevity

为简洁起见简化了函数语法

setcookie(    $name, $value, $expire, $path, $domain, $secure, $httponly )
setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )

Enter NULLfor parameters you wish to remain as default. You may also want to consider if you should be setting the secureparameter.

输入NULL您希望保留为默认值的参数。您可能还需要考虑是否应该设置secure参数。

It is also possible using the older, lower-level header()function:

也可以使用较旧的低级header()函数：

header( "Set-Cookie: name=value; httpOnly" );

For PHP's own session cookies on Apache:
add this to your Apache configuration or .htaccess

对于 Apache 上的 PHP 自己的会话 cookie：
将其添加到您的 Apache 配置或.htaccess

<IfModule php5_module>
    php_flag session.cookie_httponly on
</IfModule>

This can also be set within a script, as long as it is called before session_start().

这也可以在脚本中设置，只要它在 之前调用session_start()。

ini_set( 'session.cookie_httponly', 1 );

Be aware that HttpOnly doesn't stop cross-site scripting; instead, it neutralizes one possible attack, and currently does that only on IE (FireFox exposes HttpOnly cookies in XmlHttpRequest, and Safari doesn't honor it at all). By all means, turn HttpOnly on, but don't drop even an hour of output filtering and fuzz testing in trade for it.

请注意 HttpOnly 不会停止跨站点脚本；相反，它消除了一种可能的攻击，目前仅在 IE 上执行此操作（FireFox 在 XmlHttpRequest 中公开 HttpOnly cookie，而 Safari 根本不支持它）。无论如何，打开 HttpOnly，但不要为了它而放弃甚至一小时的输出过滤和模糊测试。

Note that PHP session cookies don't use httponlyby default.

请注意，httponly默认情况下不使用 PHP 会话 cookie 。

To do that:

要做到这一点：

$sess_name = session_name();
if (session_start()) {
    setcookie($sess_name, session_id(), null, '/', null, null, true);
}

A couple of items of note here:

这里有几个值得注意的项目：

• You have to call session_name()before session_start()
• This also sets the default path to '/', which is necessary for Opera but which PHP session cookies don't do by default either.

• 你必须调用session_name()之前session_start()
• 这还将默认路径设置为“/”，这对于 Opera 来说是必需的，但默认情况下 PHP 会话 cookie 也不会这样做。

<?php
//None HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, FALSE); 

//HttpOnly cookie:
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 

?>

Source

来源

You can specify it in the set cookie function see the php manual

可以在set cookie函数中指定，参见php手册

setcookie('Foo','Bar',0,'/', 'www.sample.com'  , FALSE, TRUE);

Explanation here from Ilia... 5.2 only though

此处来自 Ilia 的解释... 5.2 仅

httpOnly cookie flag support in PHP 5.2

PHP 5.2 中的 httpOnly cookie 标志支持

As stated in that article, you can set the header yourself in previous versions of PHP

如该文章所述，您可以在以前版本的 PHP 中自行设置标头

header("Set-Cookie: hidden=value; httpOnly");

You can use this in a header file.

您可以在头文件中使用它。

// setup session enviroment
ini_set('session.cookie_httponly',1);
ini_set('session.use_only_cookies',1);

This way all future session cookies will use httponly.

这样所有未来的会话 cookie 都将使用 httponly。

• Updated.

• 更新。

The right syntax of the php_flag command is

php_flag 命令的正确语法是

php_flag  session.cookie_httponly On

And be aware, just first answer from server set the cookie and here (for example You can see the "HttpOnly" directive. So for testing delete cookies from browser after every testing request.

请注意，只需来自服务器的第一个回答设置 cookie 并在此处设置（例如，您可以看到“HttpOnly”指令。因此，为了在每次测试请求后从浏览器中删除 cookie 进行测试。

A more elegant solution since PHP >=7.0

自PHP >=7.0以来更优雅的解决方案

session_start(['cookie_lifetime' => 43200,'cookie_secure' => true,'cookie_httponly' => true]);

session_start

会话开始

session_start options

session_start 选项