Php Predictable Session Cookie
Description
Detects when PHP applications set session cookies using predictable or weak values that could be guessed by attackers. This creates a risk of session hijacking where attackers can impersonate legitimate users by predicting their session identifiers.
Detection Strategy
• Identifies calls to PHP's setcookie() function in the application code
• Checks if the cookie value being set uses weak generation methods like fixed strings, predictable patterns, or insecure random functions
• Specifically focuses on cookies used for session management by analyzing parameter names and contexts
• Reports issues when session cookies are set with non-cryptographically secure values that could be predicted
Vulnerable code example
<?php
function setUserSession($userId) {
$id = generateSessionId($userId);
setcookie("session", $id); // Vulnerable: Cookie set without security flags (secure, httponly)
return $id;
}
?>✅ Secure code example
<?php
function setUserSession($userId) {
$id = generateSessionId($userId);
// Set cookie with secure flags to prevent XSS and MITM attacks
setcookie("session", $id, [
'expires' => time() + 3600,
'path' => '/',
'secure' => true, // Only transmitted over HTTPS...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.