Insecurely generated cookies - HttpOnly - PHP

Insecurely generated cookies - HttpOnly - PHP

Need

Secure generation of cookies with the HttpOnly attribute

Context

  • Usage of PHP for server-side scripting and web development
  • Usage of Response for handling HTTP responses in a web application
  • Usage of cookie for managing HTTP cookies in Node.js

Description

Non compliant code

        public function setCookie() {
    $response = new Response('Hello World');
    $response->withCookie(cookie('name', 'value', 60));
    return $response;
}
        
        

In the code snippet above, we are setting a cookie named 'name' with the value 'value' which expires in 60 minutes. The cookie is being set without the HttpOnly attribute, which can make it vulnerable to Cross-Site Scripting (XSS) attacks. This is because a malicious script running on the client side can potentially access the cookie and compromise the user's session.

In the context of Laravel, the withCookie method does not set the HttpOnly attribute by default. This means that unless specified otherwise, the cookie can be accessed by JavaScript running in the browser.

The HttpOnly attribute is an important security measure that helps mitigate the risk of client-side script accessing the protected cookie data. If the HttpOnly attribute is set, then the cookie cannot be accessed through client-side script. This is useful to help prevent XSS attacks, as these scripts will not be able to access the cookie data even if they manage to execute successfully.

Steps

  • Identify all places in the code where cookies are being set.
  • Ensure that the HttpOnly attribute is set to true when creating cookies. This attribute prevents client-side scripts from accessing the cookie, mitigating the risk of cross-site scripting attacks.
  • Review the documentation for the cookie function being used to understand how to set the HttpOnly attribute.
  • Update the cookie creation code to include the HttpOnly attribute.
  • Test the application to ensure that cookies are being created with the HttpOnly attribute and that functionality has not been negatively impacted.

Compliant code

        public function setCookie() {
    $response = new Response('Hello World');
    $response->withCookie(cookie('name', 'value', 60, null, null, false, true));
    return $response;
}
        
        

The above code is a fixed version of the vulnerable code. The vulnerability was that the HttpOnly attribute was not set when creating the cookie. This attribute is important because it prevents client-side scripts from accessing the cookie, which mitigates the risk of cross-site scripting attacks.

In the fixed code, the cookie function is called with seven parameters: 'name', 'value', 'minutes', 'path', 'domain', 'secure', and 'httpOnly'. The 'httpOnly' parameter is set to true, which means that the cookie cannot be accessed by client-side scripts. This is a crucial step in preventing cross-site scripting attacks.

The 'secure' parameter is set to false, which means that the cookie will be sent over HTTP as well as HTTPS. If your application is served over HTTPS, you should set this parameter to true to ensure that the cookie is only sent over secure connections.

After making these changes, it's important to test the application to ensure that cookies are being created with the HttpOnly attribute and that functionality has not been negatively impacted.

References