Audit required: Sensitive cookie without secure attribute PHP-A1005

Cookies set without the secure flag can cause the user agent to send those cookies in plaintext over an HTTP session with the same server. This can be observed by an unauthorized person, leading to a man-in-the-middle attack.

In past it has led to the following vulnerabilities:

• CVE-2009-2272
• CVE-2008-3663
• CVE-2008-0128

Generally, the production sites redirect any requests that are sent over HTTP to the same URL but on HTTPS. In this case, make sure that these HTTP requests that are immediately redirected to HTTPS do not carry any cookie that contains sensitive information. The secure flag limits cookies to HTTPS traffic only so, the browser will never send secure cookies with requests that are not encrypted.

Bad practice

// sensitive: cookie is set with 'secure' flag(6th parameter) to `false`, which can lead to security vulnerabilities in future
setcookie('user_data', 'sensitive value', time() + 3600, '', '', false);

Recommended

setcookie('user_data', 'sensitive value', time() + 3600, '', '', true);

References

• setcookie() Function
• OWASP Top 10:2021 > A02 - Cryptographic Failures
• OWASP Top 10:2017 > A03 - Sensitive Data Exposure
• CWE-311: Missing Encryption of Sensitive Data
• CWE-315: Cleartext Storage of Sensitive Information in a Cookie
• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Exceptions

While this issue mostly makes sense if you're setting a sensitive cookie, DeepSource will flag all the cookies encountered without the secure flag. This is to ensure that you are aware about all the cookies set, and avoid false negatives.