- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/laravel-cookie-not-encrypted
Language: PHP
Severity: Error
Category: Security
CWE: 352
All cookies in your PHP application should be encrypted. This is crucial because cookies often contain sensitive user information. If the cookies are not encrypted, they can be easily intercepted and exploited by malicious users or programs.
Not encrypting cookies can lead to serious security vulnerabilities. These can include session hijacking, where an attacker can impersonate a user by stealing their session cookie, or cross-site scripting (XSS), where an attacker can inject malicious scripts into web pages viewed by other users.
To ensure compliance with this rule, always use the EncryptCookies
middleware in your middleware groups, as shown in the compliant code sample. This middleware will automatically encrypt all cookies sent by your application. Also, make sure to use HTTPS for all communications, as this will further secure your cookies by encrypting the entire communication channel.
<?php
class Kernel extends HttpKernel
{
/**
* The application's route middleware groups.
*
* @var array
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\Illuminate\Session\Middleware\StartSession::class,
// Missing EncryptCookies middleware
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
}
<?php
class Kernel extends HttpKernel
{
/**
* The application's route middleware groups.
*
* @var array
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\Illuminate\Session\Middleware\StartSession::class,
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
}