Php Set Cookie Without Secure Flag
Description
Detects when cookies are configured in PHP applications without the secure flag enabled. When cookies lack the secure flag, they can be transmitted over unencrypted HTTP connections, potentially exposing sensitive cookie data to network eavesdroppers.
Detection Strategy
• Check for cookie-setting operations in PHP code like setcookie() or setrawcookie()
• Examine the parameters passed to cookie operations to determine if the secure flag is explicitly set to false or omitted
• Flag vulnerable cookie configurations where the secure parameter is not explicitly set to true
• Consider the context - cookies handling sensitive data (like session tokens, authentication) should always use the secure flag
Vulnerable code example
<?php
// VULNERABLE: Cookie set without secure flag, allowing transmission over HTTP
setcookie("auth_token", "secret123", [
'expires' => time() + 3600,
'path' => '/',
'httponly' => true,
'secure' => false // Explicitly setting secure=false exposes cookie to MITM attacks
]);...✅ Secure code example
<?php
// SECURE: Cookie set with secure flag to enforce HTTPS-only transmission
setcookie("auth_token", "secret123", [
'expires' => time() + 3600,
'path' => '/',
'httponly' => true,
'secure' => true // Set secure=true to ensure cookie only sent over HTTPS
]);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.