DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
PHP

PHP

Made by DeepSource
Use Analyzer

Invalid options array while creating a cookie PHP-E1116

Bug risk
Critical

One or more keys used in the options array contains an invalid key in the setcookie/setrawcookie function. Starting from PHP 7.3.0, setcookie and setrawcookie functions provide the ability to set cookie options via passing an associative array to a third parameter.

An associative array only allows the use of expires, path, domain, secure, httponly, and samesite keys to be present. Using anything other than these would raise a warning for PHP > 8.0, and a fatal error for PHP >= 8.0 during the runtime.

Bad practice

setcookie('cookie_name', 'value', [
    'expires' => time() + 3600,
    'url' => 'https://example.com', // invalid: `url` option is not allowed
    'secure' => true,
    'httponly' => true,
]);

Using array inside the options array is also not allowed:

setcookie('cookie_name', 'value', [
    'expires' => time() + 3600,
    // invalid: will result in "Uncaught ValueError: setcookie(): option array cannot have numeric keys" error
    [
        'secure' => true,
        'httponly' => true,
    ],
]);

Recommended

setcookie('cookie_name', 'value', [
    'expires' => time() + 3600,
    'secure' => true,
    'httponly' => true,
]);

References