Php Set Cookie Without Httponly
Description
Detects when PHP cookies are set without the HTTPOnly flag enabled. Missing this flag allows client-side scripts to access cookie data, making the application vulnerable to cross-site scripting (XSS) attacks where malicious scripts could steal sensitive cookie information.
Detection Strategy
• Check for cookie-setting functions like setcookie() or setrawcookie() in PHP code
• Examine the function parameters to verify if HTTPOnly flag is properly set
• Report a vulnerability if a cookie is set without explicitly enabling the HTTPOnly flag
• Consider cookies vulnerable if the HTTPOnly parameter is set to false or omitted
Vulnerable code example
<?php
// VULNERABLE: httponly flag is false, allowing JavaScript access to session cookie
session_set_cookie_params(3600, '/', 'example.com', true, false);
session_start();
// VULNERABLE: httponly parameter omitted, cookie accessible via JavaScript
setcookie("user_token", "123456", time() + 3600, "/");
...✅ Secure code example
<?php
// Set session cookie params with httponly=true to protect session cookie
session_set_cookie_params(3600, '/', 'example.com', true, true); // HttpOnly enabled
session_start();
// Set user token cookie with httponly flag for XSS protection
setcookie("user_token", "123456", [
'expires' => time() + 3600,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.