Mixing ordinary and httponly cookies

Question

I am using PHP setcookie to set ordinary cookies, then later setting one with httponly. It seems this does not work. The setcookie function returns success but the cookie is not set in $_COOKIE.

Is it possible to mix ordinary and httponly cookies?

UPDATE

Yes, it works.

Thanks Rudi.

Answer 1

As noted in comments, mixing non-httponly and httponly cookies is not a problem at all if you're reading them by PHP, because PHP obviously needs a HTTP request to be processed and so will receive the cookie as usual, regardless of it's HttpOnly flag.

The following test case can prove this (open, and refresh):

<?php 
echo '<pre>'; 
var_dump($_COOKIE); 
echo '</pre>'; 

setcookie('TestNonHttpOnly', 'True', time() + 3600, '/', '.example.com', false, false); 
setcookie('TestHttpOnly', 'True', time() + 3600, '/', '.example.com', false, true); 

(Live test available)