Php Session Cookie Missing Httponly
Description
Detects when PHP session cookies have the HttpOnly flag disabled or not set in php.ini configuration. Without HttpOnly, session cookies can be accessed via client-side scripts, making them vulnerable to cross-site scripting (XSS) attacks where malicious scripts could steal session identifiers.
Detection Strategy
• Check if 'session.cookie_httponly' setting exists in the [Session] section of php.ini
• Report a vulnerability if the setting is explicitly set to '0', 'Off', or empty string
• Report a vulnerability if the setting is missing entirely (null check)
• When vulnerable configuration is found, mark the line containing 'session.cookie_httponly' in php.ini, or line 0 if not found
Vulnerable code example
[PHP]
; Basic PHP settings
file_uploads = On
upload_max_filesize = 2M
[Session]
session.use_cookies = 1
session.use_only_cookies = 1...✅ Secure code example
[PHP]
; Basic PHP settings
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off ; Prevent remote file inclusion attacks
default_socket_timeout = 60...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.