Missing Secure option in cookie configuration

• Rule ID: php_lang_insecure_cookie
• Languages: php
• Source: insecure_cookie.yml

Description

When a cookie lacks the Secure attribute, it can be transmitted over insecure connections, making it vulnerable to interception by unauthorized parties. The Secure attribute is important because it instructs the browser to only send the cookie over HTTPS, enhancing security.

Remediations

• Do set the Secure attribute to true for cookies to ensure they are only sent over HTTPS.

  setcookie("name", "value", secure: true);

References

• OWASP Session Management Cheat Sheet
• OWASP Cookies Properties

Associated CWE

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_insecure_cookie

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_insecure_cookie