[SOLVED][Drupal Errors] [PCI Compliance] Sensitive Cookie Missing 'HTTPONLY' Attribute

We were faced with a Sensitive Cookie Missing 'HTTPONLY' Attribute error in one of the more sophisticated Drupal applications we were developing. This error occurred when we were trying to get the Drupal application scrutinized for PCI Compliance. If you are faced with the same scenario in your Drupal then read on to find out the solution

PCI is an industry standard designed to review organizations who handle sensitive credit card information to prevent Credit Card fraud and it is important to get your Drupal application scrutinized if it is to handle such information

Now coming back to the error. The error indicates that the Drupal application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE version 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.

In Drupal we can fix this by adding the following line in the settings.php file.

ini_set('session.cookie_httponly', TRUE);

Thats all there is to it.

We would love to hear your thoughts on such a scenario if you have ever faced on your Drupal site via our comments box below.