72 lines
2.6 KiB
Plaintext
72 lines
2.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
In _php.ini_ you can specify the flags for the session cookie which is security-sensitive:
|
|
|
|
----
|
|
session.cookie_secure = 0; // Sensitive: this security-sensitive session cookie is created with the secure flag set to false (cookie_secure = 0)
|
|
----
|
|
|
|
Same thing in PHP code:
|
|
|
|
----
|
|
session_set_cookie_params($lifetime, $path, $domain, false);
|
|
// Sensitive: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_
|
|
----
|
|
|
|
If you create a custom security-sensitive cookie in your PHP code:
|
|
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain, false); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) set to _false_
|
|
----
|
|
|
|
By default https://www.php.net/manual/en/function.setcookie.php[``++setcookie++``] and https://www.php.net/manual/en/function.setrawcookie.php[``++setrawcookie++``] functions set the sixth argument / ``++secure++`` flag to _false:_
|
|
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
|
|
setrawcookie($name, $value, $expire, $path, $domain); // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,php]
|
|
----
|
|
session.cookie_secure = 1; // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to cookie_secure property set to 1
|
|
----
|
|
|
|
[source,php]
|
|
----
|
|
session_set_cookie_params($lifetime, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the fouth argument) set to true
|
|
----
|
|
|
|
[source,php]
|
|
----
|
|
$value = "sensitive data";
|
|
setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
|
|
setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|