Wondering how to prevent JavaScript from stealing session cookie? Major browsers got the answer: just add HttpOnly to cookie to protect it from malicious JavaScript code. Full details are available at MSDN.
Since this option is well-supported (AFAIK MSIE, Mozilla/Firefox/Gecko and Konqueror support it) it’s unclear why PHP doesn’t support it yet. I’ve written a patch to add HttpOnly support to PHP. After applying the patch, add this string to your php.ini:
session.cookie_httponly = 1Enjoy!