Cookie without Secure flag and HttpOnly flag set

0
votes

Recently a scan was run on one of our applications and it returned the following 1 security threats:

1.Cookies NotMarked As Secure::Cookie without Secure flag set

2.Cookie without HttpOnly flag set::Cookiewithout HttpOnly flag set

$this->cache_ptr = new CACHE($_COOKIE["sess"], 0, 0);

CACHE is an user built library that uses Sessions etc.

I am not sure about the right syntax to mark the cookie secure and set the cookie with HttpOnly flag. Also, this is a legacy application running in php 4. Can someone please help me with this or point me to a resource?

EDIT: I implemented Sven's recommendation. Is there a way I can test the secure functionality?

Also,Since I am using php4(which will have to be updated eventaully) I cannot use httponly in the setcookie function. So does that mean,I need to add the following line before setcookie function?

header("Set-Cookie: hidden=value; httpOnly");

will it intefere with my setcookie function?

2
phphtmlcookies

2 Answers

1
votes

use setcookie(). read about it here. Set the sixth parameter to true to make the cookie secure.

1
votes

The code you are showing does not set the cookie. It might trigger setting a cookie, but essentially you must look at the CACHE class and see what's going on there.

You are looking for function calls of setcookie(), and if not found, for header('Set-Cookie...').

You'll have to change setcookie() to include all the default values for the optional parameters, until at the end you set the last two to true for secure and httponly.

Have a look at the manual: http://de1.php.net/setcookie