Skip to content

Cookie missing security attributes

Description

Secure cookie: is only sent to the server with an encrypted request over the HTTPS protocol. Cookies missing the Secure flag can be sent over unencrypted channels. The flag's presence should not justify the storage of sensitive data, as the flag remains an unsafe place to store data.

HttpOnly cookie: helps mitigate cross-site scripting (XSS) vulnerabilities, HttpOnly cookies are inaccessible from javascript using the document.cookie API.

```http request Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

#### Recommendation
Add missing security attributes to the cookies. Adding the flag depends
on the framework used and can either be a global setting or be done
manually by adding the flags to the request.

For session cookies managed by PHP, the flag is set either in `php.ini`:

```http request
session.cookie_secure = True

Or in code:

setcookie ( string $name [, string $value = "" [, int $expires = 0 [, string $path = "" [, string $domain = "" [, bool $secure = FALSE [, bool $httponly = FALSE ]]]]]] ) : bool
setcookie ( string $name [, string $value = "" [, array $options = [] ]] ) : bool

For accurate details on how to add the flag, check the documentation of your framework.

Standards

  • OWASP_ASVS_L1:
    • V3_4_2
  • OWASP_ASVS_L2:
    • V3_4_2
  • OWASP_ASVS_L3:
    • V3_4_2
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_3_6
    • REQ_3_7
    • REQ_6_2
    • REQ_6_3
    • REQ_6_4
    • REQ_11_3