Magento's "Use HTTP Only" Cookie Setting

Published: March 8, 2017

Recently, while checking out Mozilla Observatory I learned about the HttpOnly Set-Cookie directive. If you’re not familiar with it, here’s an explanation from MDN…

HTTP-only cookies aren’t accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs to prevent attacks against cross-site scripting (XSS).

The “HttpOnly” name is a bit confusing and is sometimes misinterpreted as having something do to with HTTP vs HTTPS. However, that is not the case. The idea is that the cookie is made available to the server as part of the HTTP request (“HTTP only”). However, the browser has no access to it.

This provides a layer of security against XSS as, even if an attacker is able to get malicious script to execute on a web page, the attacker won’t be able to access precious cookies, which are often the only key needed to compromise a user (or admin) account.

This got me interested in investigating how Magento manages that flag. I decided to dig in to get a better understanding. Here, I’ll documented my findings…

WTF Is uenc?

Published: March 6, 2017


If you’ve worked with Magento before, you’ve probably seen a URL that looks like this…,,/product/406/form_key/giZIAWUXy2azlHw1/

Have you ever wondered to yourself, WTF is uenc?

In this post I’ll explore that question…

Against List View

Published: March 1, 2017

Out-of-box, both Magento 1 and 2 provides the ability to toggle between “Grid View” and “List View”.

A screenshot showing toggling between list view and grid view in Magento 2

“Grid View” displays the products in an image grid, as pictured above. It is the default “mode” for viewing a category or search results page.

In “List View” the products are listed in a single column as pictured below.

A screenshot showing toggling between list view and grid view in Magento 2

Not only is list view unnecessary, it’s also harmful. Here I’ll explain why…

Stripping A Query Parameter From A URL in PHP

Published: March 1, 2017


Recently I needed a function to remove a single query parameter from a given URL in PHP. This seems like the type of thing that there should be a canonical answer for, but, if you run a Google search, you’ll see that there are many ways to skin this cat.

After giving the task some thought, I wound up implementing essentially what is described in this Stack Overflow answer. In this post, I share the approach, along with the final code.

URL Based Apache Directives

Published: February 27, 2017


Recently, I was working through an issue where I wanted to conditionally increase PHP’s memory limit based on the request URL. Rather than building that logic into the application, handling via Apache directives seemed like a cleaner approach. Here I’ll outline how I achieved this.

Overriding Inline onclick Attributes With Event Capturing

Published: February 16, 2017


Recently, I needed to override a <button>’s inline onclick attribute. I was writing a plugin for Magento, which, for better or worse, makes heavy use on inline onclick attributes. If you run a Google search you’ll see that the canonical answer looks something like this…

document.getElementById('my-id').onclick = myOnClick;

For most uses cases this work fine. However, there is a caveat that should accompany this answer. It doesn’t work for elements that are dynamically added to the document.

But never fear, there’s another approach that can be used to override inline onclick attributes that works with dynamically added elements. And that approach, my friends, is called event capturing.