# Cookie Domain Analyzer PRO

Category Severity Time To Fix
🛡️ Security Minor 1 minute

Class: Enlightn\EnlightnPro\Analyzers\Security\CookieDomainAnalyzer

# Introduction

The cookie domain attribute specifies which hosts are allowed to receive the cookie. If not specified, it defaults to the same origin that set the cookie, excluding subdomains.

This analyzer confirms that your session cookie domain attribute (this is also the default for all cookies) is set to null if you do not have subdomain route registrations.

If a domain attribute is specified, then subdomains are always included, potentially making your application less secure.

# How To Fix

Simply set your domain configuration option in your config/session.php file to null:

| Session Cookie Domain
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.

'domain' => null,

# Skip Condition

This analyzer is skipped if there are route registrations that relate to more than one unique domain or sub-domain in your application.

# References