Php Insecure Samesite Cookie Attribute

Description

This detector identifies PHP setcookie() calls that use insecure SameSite attribute configurations. The SameSite attribute controls when cookies are sent with cross-site requests, and improper configuration can lead to CSRF attacks and cookie-based vulnerabilities.

Weakness:

129 - Insecurely generated cookies - SameSite

Category: Access Subversion

Detection Strategy

• Identifies calls to the PHP setcookie() function in the source code

• Checks that the setcookie call has exactly 3 arguments (name, value, options)

• Verifies the first argument (cookie name) contains potentially unsafe content

• Analyzes the third argument (options array) to detect insecure SameSite attribute usage

• Reports vulnerability when the options array contains problematic SameSite configurations that could enable cross-site cookie transmission

Vulnerable code example

<?php

function vulnerable_cookie(): void
{
    setcookie("session", "value", [
        'samesite' => 'None', // Vulnerable: allows cross-site requests
    ]);
}...

✅ Secure code example

<?php

function secure_cookie(): void
{
    setcookie("session", "value", [
        'samesite' => 'Strict', // Secure: prevents cross-site requests
    ]);
}...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.