0

Recently a scan was run on one of our applications and it returned the following 1 security threats:

1.Cookies NotMarked As Secure::Cookie without Secure flag set

2.Cookie without HttpOnly flag set::Cookiewithout HttpOnly flag set

$this->cache_ptr = new CACHE($_COOKIE["sess"], 0, 0);

CACHE is an user built library that uses Sessions etc.

I am not sure about the right syntax to mark the cookie secure and set the cookie with HttpOnly flag. Also, this is a legacy application running in php 4. Can someone please help me with this or point me to a resource?

EDIT: I implemented Sven's recommendation. Is there a way I can test the secure functionality?

Also,Since I am using php4(which will have to be updated eventaully) I cannot use httponly in the setcookie function. So does that mean,I need to add the following line before setcookie function?

header("Set-Cookie: hidden=value; httpOnly");

will it intefere with my setcookie function?

Micheal
  • 2,272
  • 10
  • 49
  • 93

2 Answers2

1

use setcookie(). read about it here. Set the sixth parameter to true to make the cookie secure.

Landon
  • 4,088
  • 3
  • 28
  • 42
  • httponly is another parameter that you can set with `setcookie()` – Landon Oct 23 '12 at 22:32
  • Also the php version is less than 5 and it does not support httponly paarameter. is there a way without upgrading the php version for now. – Micheal Oct 24 '12 at 15:39
  • If you dont' have that version, you will have to set the cookie manually with the header function: `header( "Set-Cookie: name=value; httpOnly" );` – Landon Oct 24 '12 at 16:27
1

The code you are showing does not set the cookie. It might trigger setting a cookie, but essentially you must look at the CACHE class and see what's going on there.

You are looking for function calls of setcookie(), and if not found, for header('Set-Cookie...').

You'll have to change setcookie() to include all the default values for the optional parameters, until at the end you set the last two to true for secure and httponly.

Have a look at the manual: http://de1.php.net/setcookie

Sven
  • 69,403
  • 10
  • 107
  • 109
  • thanks Landen and sven. Is there a way I can test to see if it's secure and http only? I dont have the security scan software that was used to run initially. – Micheal Oct 24 '12 at 15:26
  • Firebug will show you the result. Additionally checking the `Set-Cookie` response header from the server will do as well. – Sven Oct 24 '12 at 18:08
  • can I also add secure to it function: header( "Set-Cookie: name=value; httpOnly secure" ); – Micheal Oct 29 '12 at 16:11