Cookie Domain Analyzer PRO

Category	Severity	Time To Fix
🛡️ Security	Minor	1 minute

Class: Enlightn\EnlightnPro\Analyzers\Security\CookieDomainAnalyzer

Introduction

The cookie domain attribute specifies which hosts are allowed to receive the cookie. If not specified, it defaults to the same origin that set the cookie, excluding subdomains.

This analyzer confirms that your session cookie domain attribute (this is also the default for all cookies) is set to null if you do not have subdomain route registrations.

If a domain attribute is specified, then subdomains are always included, potentially making your application less secure.

How To Fix

Simply set your domain configuration option in your config/session.php file to null:

/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/

'domain' => null,

Skip Condition

This analyzer is skipped if there are route registrations that relate to more than one unique domain or sub-domain in your application.

Related Analyzers

• Http Only Cookie Analyzer
• Same Site Cookie Analyzer
• Secure Cookie Analyzer

References

• Introduction to Cookies and Cookie Attributes (opens new window)
• OWASP Cookie Security Guide (opens new window)
• OWASP Session Management Cheatsheet (opens new window)
• OWASP Cookie Attribute Security Testing (opens new window)