Just received the results of a security audit - everything clear apart from two things
Session cookie without http flag.
Session cookie without secure flag set.
The application is coded in php and the suggestions to fix are:
I have looked at examples but don't fully understand how to implement on a Linux server. I don't have access to the .ini file . Is it possible to set these in the htaccess file?
Alternatively, how and where do I implement in the code?
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user's web browser. The browser may store the cookie and send it back to the same server with later requests.
Cookies are transmitted using header fields in the HTTP protocol. Cookie lifecycle: The first time a browser connects with a particular server, there are no cookies. The server creates a unique identifier, and returns a Set-Cookie: header in the response that contains the identifier.
There are two ways to create HTTP cookies. Whether through Google Chrome or Mozilla Firefox, you can type in Javascript code to set the cookie into the console with any browser you access. The other option involves the web server sending one or more set-cookie headers.
You can set them before you send the header. Just add these line below in you code.
<?php // **PREVENTING SESSION HIJACKING** // Prevents javascript XSS attacks aimed to steal the session ID ini_set('session.cookie_httponly', 1); // **PREVENTING SESSION FIXATION** // Session ID cannot be passed through URLs ini_set('session.use_only_cookies', 1); // Uses a secure connection (HTTPS) if possible ini_set('session.cookie_secure', 1);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With