1.2.1090. Set Cookie Safe Arguments¶

The last five arguments of setcookie() and setrawcookie() are for security. Use them anytime you can.

setcookie ( string $name [, string $value = " [, int $expire = 0 [, string $path = " [, string $domain = " [, bool $`secure <https://www.php.net/secure>`_ = false [, bool $httponly = false ]]]]]] )

The $expire argument sets the date of expiration of the cookie. It is recommended to make it as low as possible, to reduce its chances to be captured. Sometimes, low expiration date may be several days (for preferences), and other times, low expiration date means a few minutes.

The $path argument limits the transmission of the cookie to URL whose path matches the one mentioned here. By default, it is '/', which means the whole server. If a cookie usage is limited to a part of the application, use it here.

The $domain argument limits the transmission of the cookie to URL whose domain matches the one mentioned here. By default, it is '', which means any server on the internet. At worse, you may use mydomain.com to cover your whole domain, or better, refine it with the actual subdomain of usage.

The $`secure <https://www.php.net/secure>`_ argument limits the transmission of the cookie over HTTP (by default) or HTTPS. The second is better, as the transmission of the cookie is crypted. In case HTTPS is still at the planned stage, use ‘$_SERVER[“HTTPS”]’. This environment variable is false on HTTP, and true on HTTPS.

The $httponly argument limits the access of the cookie to JavaScript. It is only transmitted to the browser, and retransmitted. This helps reducing XSS and CSRF attacks, though it is disputed.

The $samesite argument limits the sending of the cookie to the domain that initiated the request. It is by default Lax but should be upgraded to Strict whenever possible. This feature is available as PHP 7.3.

<?php

//admin cookie, available only on https://admin.my-domain.com/system/, for the next minute, and not readable by javascript
setcookie("admin", $login, time()+60, "/system/", "admin.my-domain.com", $_SERVER['HTTPS'], 1);

//login cookie, available until the browser is closed, over http or https
setcookie("login", $login);

//removing the login cookie : Those situations are omitted by the analysis
setcookie("login", '');

?>

See also setcookie and ‘SameSite’ cookie attribute.

1.2.1090.1. Connex PHP features¶

  • cookie

1.2.1090.1.1. Suggestions¶

  • Use all the argument when setting cookies with PHP functions

1.2.1090.1.2. Specs¶

Short name

Security/SetCookieArgs

Rulesets

All, Changed Behavior, Security

Exakat since

0.10.6

PHP Version

All

Severity

Major

Time To Fix

Instant (5 mins)

Precision

Very high

Available in

Entreprise Edition, Exakat Cloud

Exakat

Navigation

  • Introduction
  • Release Note

GETTING STARTED

  • Standard installation
  • Docker installation
  • Tutorials

USER GUIDE

  • Overview
  • PHP Version
  • Library & Framework Support
  • Configuration
  • Scoping analysis
  • Rule
  • Report
  • Cobbler

REFERENCE GUIDE

  • 1. Rules
  • 2. Rulesets
  • 3. Reports
  • 4. Cobblers
  • 5. Real Code Cases

ADMINISTRATOR GUIDE

  • Installation
  • Upgrading
  • Configuration
  • Commands

OTHERS

  • Frequently Asked Questions
  • Glossary
  • Annex

Related Topics

  • Documentation overview
    • 1. Rules
      • Previous: 1.2.1089. Set Clone Link
      • Next: 1.2.1091. Set Method Fnp
©2015-2025, Damien Seguy - Exakat. | Powered by Sphinx 9.0.4 & Alabaster 1.0.0 | Page source