Unsanitized user input in session key

Rule ID: php_symfony_session_key_using_user_input
Languages: php
Source: session_key_using_user_input.yml

Description

Incorporating user-provided data directly into session keys poses a significant security risk. This practice can allow attackers to manipulate session data or perform unauthorized actions by exploiting the predictability or vulnerability of the session mechanism.

Remediations

Do not use user-defined data directly in session keys. This can lead to vulnerabilities where attackers might exploit the session management.
```
$session = $requestStack->getSession();
$session->put($userInput, $data); // unsafe
```
Do sanitize user input before incorporating it into session keys. Ensure that any data derived from user input is properly validated and sanitized to prevent injection attacks.

References

OWASP Session Management Cheat Sheet

Associated CWE

CWE-1018:

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_symfony_session_key_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_symfony_session_key_using_user_input