Harden PHP session and cookie security flags | Critiq Docs

#Metadata

Rule ID: php.security.insecure-session-or-cookie-config
Severity: medium
Confidence: 0.76
Languages: php
Presets: security, strict
Stability: experimental
Applies to: block
Tags: cookies, php, rules-catalog, security, session

#Why it matters

Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.

#Remediation

Set `secure=true`, `httponly=true`, and a restrictive same-site policy for authentication cookies in production traffic.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml.

Back to directory Open rule in repository