Secure Cookie Analyzer PRO

Category	Severity	Time To Fix
🛡️ Security	⚠️ Critical	1 minute

Class: Enlightn\EnlightnPro\Analyzers\Security\SecureCookieAnalyzer

Introduction

This analyzer confirms that your application sets an appropriate 'secure' cookie attribute on your session cookies. Note that this is also the default value for all cookies in your application.

The analyzer fails if this value is set to "false" as this exposes the application to man-in-the-middle attacks.

A "true" value means that session cookies will only be sent to the server if the browser has an HTTPS connection. A null value automatically sets the attribute to "true" when the request is already using HTTPS and if not already on HTTPS, it disables the attribute.

If your application is HTTPS only, it is recommended to set this to "true". Otherwise, it is recommended to set to null so that the attribute is auto-enabled on HTTPS connections.

How To Fix

To fix this issue, simply set the secure configuration option in your config/session.php file (or the corresponding SESSION_SECURE_COOKIE env variable) to "true" or null:

/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/

'secure' => null,

Related Analyzers

• Http Only Cookie Analyzer
• Cookie Domain Analyzer
• Same Site Cookie Analyzer

References

• OWASP Guide on the Secure Cookie Attribute (opens new window)
• Introduction to Cookie Attributes (opens new window)
• OWASP Cookie Security Guide (opens new window)
• OWASP Session Management Cheatsheet (opens new window)