Made by DeepSource

Audit required: Sensitive cookie without HttpOnly attribute PHP-A1003

a03 cwe-79 cwe-1004 sans top 25 owasp top 10 cwe-325

Cookies set without the httponly flag can be read by a client-side script, leading to cookie theft from Cross-Site Scripting (XSS) attacks.

By default, setcookie and setrawcookie function creates cookie with httponly value to false. It is recommended to explicitly set httponly to true to prevent the risk.

In past it has led to vulnerabilities like:

Cross-Site Scripting (XSS) attacks target the theft of cookies set by application. If httponly attribute is set to true, it won't be possible to exploit the XSS vulnerability to steal application cookies.