include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example In _php.ini_ you can specify the flags for the session cookie which is security-sensitive: ---- session.cookie_secure = 0; // Sensitive: this security-sensitive session cookie is created with the secure flag set to false (cookie_secure = 0) ---- Same thing in PHP code: ---- session_set_cookie_params($lifetime, $path, $domain, false); // Sensitive: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_ ---- If you create a custom security-sensitive cookie in your PHP code: ---- $value = "sensitive data"; setcookie($name, $value, $expire, $path, $domain, false); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) set to _false_ ---- By default https://www.php.net/manual/en/function.setcookie.php[``setcookie``] and https://www.php.net/manual/en/function.setrawcookie.php[``setrawcookie``] functions set the sixth argument / ``secure`` flag to _false:_ ---- $value = "sensitive data"; setcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false) setrawcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false) ---- == Compliant Solution ---- session.cookie_secure = 1; // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to cookie_secure property set to 1 ---- ---- session_set_cookie_params($lifetime, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the fouth argument) set to true ---- ---- $value = "sensitive data"; setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true ---- include::../see.adoc[]