Fluid Attacks Database

Description

Detects when Laravel session cookies are configured without the secure flag enabled in the session configuration. This allows cookies to be transmitted over insecure HTTP connections, potentially exposing sensitive session data to network eavesdropping attacks.

Weakness:

130 - Insecurely generated cookies - Secure

Category: Access Subversion

Detection Strategy

• Scans the Laravel session configuration file (config/session.php)

• Checks if the 'secure' configuration key is explicitly set to false

• Identifies if the secure flag is disabled either through direct false assignment or through an environment variable defaulting to false

• Reports a vulnerability when cookies are configured to be transmitted without requiring HTTPS

Vulnerable code example

<?php

return [
    'cookie' => env('SESSION_COOKIE', 'laravel_session'),
    'secure' => env('SESSION_SECURE_COOKIE', false), // Insecure: defaults to false
    'http_only' => true,
];

✅ Secure code example

<?php

return [
    'cookie' => env('SESSION_COOKIE', 'laravel_session'),
    'secure' => env('SESSION_SECURE_COOKIE', true), // Safe: defaults to true
    'http_only' => true,
];

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.