Ensure cookies set the HttpOnly flag

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: php-security/cookie-http-only

Language: PHP

Severity: Error

Category: Security

CWE: 1004

Description

This rule is crucial for preventing cross-site scripting (XSS) attacks. When the HttpOnly flag is set to true, it instructs the browser to prevent client-side scripts from accessing the cookie. This is important because if a malicious script can access the session cookie, it can impersonate the user, potentially leading to a security breach.

Non-compliance with this rule can make your application vulnerable to XSS attacks. An attacker can exploit this vulnerability to steal sensitive information, manipulate user data, or even gain control over user accounts.

To avoid this, always set the HttpOnly flag to true when setting cookies in your PHP code. This can be done by passing true as the final argument when calling the setcookie or session_set_cookie_params functions. This ensures that your cookies are not accessible through client-side scripts, thereby increasing the security of your application.

Non-Compliant Code Examples

<?php
$value = "cookie data";
session_set_cookie_params($lifetime, $path, $domain, true, false);
setcookie($name, $value, $expire, $path, $domain, true, false);

Compliant Code Examples

<?php
$value = "cookie data";
session_set_cookie_params($lifetime, $path, $domain, true, true);
setcookie($name, $value, $expire, $path, $domain, true, true);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes