HTTP Only Cookie Analyzer

Category	Severity	Time To Fix
🛡️ Security	⚠️ Critical	1 minute

Class: Enlightn\Enlightn\Analyzers\Security\HttpOnlyCookieAnalyzer

Introduction

A cookie with an HttpOnly attribute is inaccessible from Javascript. The http_only configuration option in your config/session.php file determines whether your session cookie should set the HttpOnly attribute.

This analyzer confirms that your session cookie sets the HttpOnly attribute.

If this is not enabled, it may expose your application to cross-site scripting (XSS) attacks. Unless, you have a very specific use case to require session cookies to be accessed from Javascript, it is recommended to enable this option.

Note that the default value of HttpOnly for all cookies is true and the http_only configuration option in your config/session.php only sets this attribute for the session cookie and not for the other cookies in your application.

How To Fix

Simply set the http_only attribute in your config/session.php file to true:

/*
|--------------------------------------------------------------------------
| HTTP Access Only
|--------------------------------------------------------------------------
|
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
|
*/
'http_only' => true,

Skip Condition

This analyzer is skipped if your app is stateless (does not use sessions).

Related Analyzers

• Cookie Domain Analyzer
• Same Site Cookie Analyzer
• Secure Cookie Analyzer

References

• HttpOnly OWASP Guide (opens new window)
• Introduction to the HttpOnly Cookie Attribute (opens new window)
• OWASP Cookie Security Guide (opens new window)
• OWASP Session Management Cheatsheet (opens new window)