Uploaded image for project: 'SonarPHP'
  1. SonarPHP
  2. SONARPHP-934

[S2092] & [S3330] Bad flags on cookies not detected correctly

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.3
    • Component/s: Rules
    • Labels:

      Description

      S2092 and S3330 should be adjusted to raise more issues (less FNs):

      • For the setcookie() and setrawcookie() functions, both rules are triggered only when the 6th (httpOnly flag = S3330) and the 7th (secure flag = S2092) arguments are explicitly set to false but by default when these arguments are not defined the parameters are set to false::
      • Httponly rule (S3330) is currently categorized as a vulnerability but may be considered as a hotspot like secure rule (S2092).
        • to be consistent between all the cookie flags.
        • because there is a review to do:
          • secure flag is mandatory for cookies, it's a best practice to have for all web applications.
          • but for dev environment HTTPS may be not implemented
          • because there is no direct impact on security (if HTTPS is set the cookie is protected neverless the secure flag set to true or not)
          • same thing for httponly, some sites need to set to false this feature (access cookie for client side js)
          • and there is no direct impact by setting flag httponly to false

       

        Attachments

        1. CookiesSecureCheck.php
          2 kB
        2. http_only.ini
          0.4 kB
        3. HttpOnlyCheck.php
          1 kB

          Issue Links

            Activity

              People

              Assignee:
              eric.therond Eric Therond
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: