PHP-A1003 · Audit required: Sensitive cookie without `HttpOnly` attribute

Audit required: Sensitive cookie without HttpOnly attribute PHP-A1003

Security

Critical

a month ago — 2 years old

a03 cwe-79 cwe-1004 sans top 25 owasp top 10 cwe-325

Cookie set without HttpOnly only flag

15
16    public function setUser(string|array|string $data): void
17    {
18        setcookie('user_name', $data['name'], [19            'expires' => time() + 3600,
20            'url' => 'https://example.com',
21        ]);

Description

Cookies set without the httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

By default, setcookie and setrawcookie function creates cookie with httponly value to false. It is recommended to explicitly set httponly to true to prevent the risk.

In past it has led to vulnerabilities like:

Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly attribute is set to true, it won't be possible to exploit the XSS vulnerability to steal application cookies.

QuackatronHQ / Gigarepo

References