CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Cookie Security Attributes

security PHP 7.3+ Advanced
debt(d5/e3/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). The term's detection_hints list semgrep and owasp-zap as tools that can catch missing cookie security attributes. These are specialist security tools, not default linters — a standard PHP linter won't flag missing __Host- prefixes or SameSite attributes without specific security rules configured.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix shows a single call to session_set_cookie_params with proper flags before session_start(). However, fixing this across an application may require updating multiple setcookie() calls and ensuring all cookie-setting code paths use consistent attributes, pushing slightly beyond a one-liner but still a localized, parameterized fix pattern.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). Cookie security applies to web contexts and affects session handling across the application. Every feature that touches authentication or session state must respect these conventions. The choice has moderate reach — it's not architectural, but misconfiguration anywhere in cookie-setting code creates security holes. Developers must consistently remember the prefix rules and attribute requirements.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception explicitly states developers confuse __Secure- and __Host- prefixes, believing they're equivalent when __Host- has stricter requirements (no Domain attribute, Path=/). Common_mistakes confirm: setting Domain on __Host- cookies causes silent rejection by browsers — no error, just ignored. The 'obvious' approach of adding Domain for flexibility breaks __Host- entirely. This contradicts intuitive expectations about cookie prefixes.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-07 · reviewed by human

Also Known As

__Host- prefix __Secure- prefix CHIPS Partitioned cookie

TL;DR

Modern cookie prefixes (__Host-, __Secure-) and the Partitioned attribute enforce strict security properties that cannot be overridden by JavaScript or subdomains.

Explanation

Cookie prefixes enforce security at the browser level: __Secure- prefix requires Secure flag and HTTPS. __Host- prefix requires Secure, no Domain attribute, and Path=/ — the strictest option, ensuring the cookie cannot be sent to subdomains or over HTTP. The Partitioned attribute (CHIPS — Cookies Having Independent Partitioned State) prevents cross-site tracking by isolating cookies per top-level site. Combined with SameSite=Strict and HttpOnly, these prefixes defend against session fixation, CSRF, and subdomain takeover attacks.

Common Misconception

__Secure- and __Host- are the same — __Secure- only requires HTTPS and Secure flag; __Host- additionally forbids a Domain attribute and requires Path=/, making it immune to subdomain attacks.

Why It Matters

A session cookie without __Host- prefix can be set by a compromised subdomain (sub.example.com) and sent to the main domain — __Host- prevents this class of subdomain takeover entirely.

Common Mistakes

  • __Host- cookie with a Domain attribute set — the prefix is silently rejected by the browser.
  • __Secure- prefix on a cookie served over HTTP — the cookie is rejected.
  • Not using SameSite=Strict alongside prefixes — prefixes don't protect against CSRF on their own.
  • Forgetting HttpOnly on auth cookies — JS-readable cookies are XSS-vulnerable regardless of prefix.

Code Examples

✗ Vulnerable 
// Insecure session cookie:
setcookie('session', $token, [
    'secure'   => false,  // Sent over HTTP
    'httponly' => false,  // Readable by JavaScript
    'samesite' => 'None', // Sent on all cross-site requests
]);
✓ Fixed 
// __Host- prefix — maximum security:
setcookie('__Host-session', $token, [
    'expires'  => 0,
    'path'     => '/',       // Required for __Host-
    'secure'   => true,      // Required for __Host-
    'httponly' => true,      // Block JS access
    'samesite' => 'Strict',  // CSRF protection
    // No 'domain' key — required for __Host-
]);
// Browser enforces: HTTPS only, path=/, no subdomain sharing
Added 16 Mar 2026
Edited 22 Mar 2026
Views 39

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 2 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Perplexity 13 Amazonbot 8 Google 6 Unknown AI 2 Ahrefs 1
Also referenced
SameSite Cookie Attribute 75 Cross-Site Request Forgery (CSRF) 30 Insecure Cookie 23 Session Fixation 23
How they use it
crawler 29 crawler_json 1
Related categories
security 4.2k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use session_set_cookie_params(['lifetime'=>0,'path'=>'/','secure'=>true,'httponly'=>true,'samesite'=>'Strict']) before session_start()
📦 Applies To
PHP 7.3+ web
🔗 Prerequisites
🔍 Detection Hints
session_set_cookie_params without samesite or secure httponly flags; setcookie without secure httponly
Auto-detectable: ✓ Yes semgrep owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-614 CWE-1004 CWE-1275
✓ schema.org compliant