Audit required: Sensitive cookie without HttpOnly attribute PHP-A1003

Cookies set without the httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

By default, setcookie and setrawcookie function creates cookie with httponly value to false. It is recommended to explicitly set httponly to true to prevent the risk.

In past it has led to vulnerabilities like:

• CVE-2014-8958
• CVE-2008-5770

Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly attribute is set to true, it won't be possible to exploit the XSS vulnerability to steal application cookies.

References

• setcookie() Function
• setrawcookie() Function
• OWASP Top 10:2021 > A03 - Injection
• OWASP Top 10:2017 > A07 - Cross-Site Scripting (XSS)
• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag