{ "slug": "cookie_security_advanced", "term": "Cookie Security Attributes", "category": "security", "difficulty": "advanced", "short": "Modern cookie prefixes (__Host-, __Secure-) and the Partitioned attribute enforce strict security properties that cannot be overridden by JavaScript or subdomains.", "long": "Cookie prefixes enforce security at the browser level: __Secure- prefix requires Secure flag and HTTPS. __Host- prefix requires Secure, no Domain attribute, and Path=/ — the strictest option, ensuring the cookie cannot be sent to subdomains or over HTTP. The Partitioned attribute (CHIPS — Cookies Having Independent Partitioned State) prevents cross-site tracking by isolating cookies per top-level site. Combined with SameSite=Strict and HttpOnly, these prefixes defend against session fixation, CSRF, and subdomain takeover attacks.", "aliases": [ "__Host- prefix", "__Secure- prefix", "CHIPS", "Partitioned cookie" ], "tags": [ "security", "cookies", "php" ], "misconception": "__Secure- and __Host- are the same — __Secure- only requires HTTPS and Secure flag; __Host- additionally forbids a Domain attribute and requires Path=/, making it immune to subdomain attacks.", "why_it_matters": "A session cookie without __Host- prefix can be set by a compromised subdomain (sub.example.com) and sent to the main domain — __Host- prevents this class of subdomain takeover entirely.", "common_mistakes": [ "__Host- cookie with a Domain attribute set — the prefix is silently rejected by the browser.", "__Secure- prefix on a cookie served over HTTP — the cookie is rejected.", "Not using SameSite=Strict alongside prefixes — prefixes don't protect against CSRF on their own.", "Forgetting HttpOnly on auth cookies — JS-readable cookies are XSS-vulnerable regardless of prefix." ], "when_to_use": [], "avoid_when": [], "related": [ "insecure_cookie", "same_site_cookie", "csrf", "session_fixation" ], "prerequisites": [ "insecure_cookie", "same_site_cookie", "session" ], "refs": [ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes" ], "bad_code": "// Insecure session cookie:\nsetcookie('session', $token, [\n 'secure' => false, // Sent over HTTP\n 'httponly' => false, // Readable by JavaScript\n 'samesite' => 'None', // Sent on all cross-site requests\n]);", "good_code": "// __Host- prefix — maximum security:\nsetcookie('__Host-session', $token, [\n 'expires' => 0,\n 'path' => '/', // Required for __Host-\n 'secure' => true, // Required for __Host-\n 'httponly' => true, // Block JS access\n 'samesite' => 'Strict', // CSRF protection\n // No 'domain' key — required for __Host-\n]);\n// Browser enforces: HTTPS only, path=/, no subdomain sharing", "quick_fix": "Use session_set_cookie_params(['lifetime'=>0,'path'=>'/','secure'=>true,'httponly'=>true,'samesite'=>'Strict']) before session_start()", "severity": "high", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/cookie_security_advanced", "html_url": "https://codeclaritylab.com/glossary/cookie_security_advanced", "json_url": "https://codeclaritylab.com/glossary/cookie_security_advanced.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Cookie Security Attributes](https://codeclaritylab.com/glossary/cookie_security_advanced) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/cookie_security_advanced" } } } }