Ensure Laravel cookies are encrypted

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: php-security/laravel-cookie-not-encrypted

Language: PHP

Severity: Error

Category: Security

CWE: 352

Description

All cookies in your PHP application should be encrypted. This is crucial because cookies often contain sensitive user information. If the cookies are not encrypted, they can be easily intercepted and exploited by malicious users or programs.

Not encrypting cookies can lead to serious security vulnerabilities. These can include session hijacking, where an attacker can impersonate a user by stealing their session cookie, or cross-site scripting (XSS), where an attacker can inject malicious scripts into web pages viewed by other users.

To ensure compliance with this rule, always use the EncryptCookies middleware in your middleware groups, as shown in the compliant code sample. This middleware will automatically encrypt all cookies sent by your application. Also, make sure to use HTTPS for all communications, as this will further secure your cookies by encrypting the entire communication channel.

Non-Compliant Code Examples

<?php
class Kernel extends HttpKernel
{
    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \Illuminate\Session\Middleware\StartSession::class,
            // Missing EncryptCookies middleware
        ],

        'api' => [
            'throttle:api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
}

Compliant Code Examples

<?php
class Kernel extends HttpKernel
{
    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \Illuminate\Session\Middleware\StartSession::class,
        ],

        'api' => [
            'throttle:api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis