- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/cookie-http-only
Language: PHP
Severity: Error
Category: Security
CWE: 1004
This rule is crucial for preventing cross-site scripting (XSS) attacks. When the HttpOnly flag is set to true, it instructs the browser to prevent client-side scripts from accessing the cookie. This is important because if a malicious script can access the session cookie, it can impersonate the user, potentially leading to a security breach.
Non-compliance with this rule can make your application vulnerable to XSS attacks. An attacker can exploit this vulnerability to steal sensitive information, manipulate user data, or even gain control over user accounts.
To avoid this, always set the HttpOnly flag to true when setting cookies in your PHP code. This can be done by passing true as the final argument when calling the setcookie
or session_set_cookie_params
functions. This ensures that your cookies are not accessible through client-side scripts, thereby increasing the security of your application.
<?php
$value = "cookie data";
session_set_cookie_params($lifetime, $path, $domain, true, false);
setcookie($name, $value, $expire, $path, $domain, true, false);
<?php
$value = "cookie data";
session_set_cookie_params($lifetime, $path, $domain, true, true);
setcookie($name, $value, $expire, $path, $domain, true, true);
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products