Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Hide
      php.ini file: Make sure creating the session cookie without the "secure" flag is safe here.
      php files: Make sure creating this cookie without the "secure" flag is safe here.
      Show
      php.ini file: Make sure creating the session cookie without the "secure" flag is safe here. php files: Make sure creating this cookie without the "secure" flag is safe here.
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      In php.ini you can specify the flags for the session cookie which is security-sensitive:

      session.cookie_secure = 0; // Sensitive: this security-sensitive session cookie is created with the secure flag set to false (cookie_secure = 0)
      

      Same thing in PHP code:

      session_set_cookie_params($lifetime, $path, $domain, false);  
      // Sensitive: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_
      

      If you create a custom security-sensitive cookie in your PHP code:

      $value = "sensitive data";
      setcookie($name, $value, $expire, $path, $domain, false);  // Sensitive: a security-sensitive cookie is created with the secure flag  (the sixth argument) set to _false_ 
      

      By default setcookie and setrawcookie functions set the sixth argument / secure flag to false:

      $value = "sensitive data";
      setcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
      setrawcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
      

      Compliant Solution

      session.cookie_secure = 1; // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to cookie_secure property set to 1
      
      session_set_cookie_params($lifetime, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the fouth argument) set to true
      
      $value = "sensitive data";
      setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth  argument) set to true
      setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pierre-yves.nicolas Pierre-Yves Nicolas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: