php.laravel.security.laravel-cookie-long-timeout.laravel-cookie-long-timeout
returntocorpAuthor
unknown
Download Count*
License
Found a configuration file where the lifetime attribute is over 30 minutes.
Run Locally
Run in CI
Defintion
rules:
- id: laravel-cookie-long-timeout
patterns:
- pattern: |
'lifetime'
- pattern-inside: |
return [
...,
'lifetime' => $TIME,
...
];
- pattern-not-inside: |
return [
...,
'lifetime' => env("$VAR", $DEFAULT),
...
];
- metavariable-comparison:
metavariable: $TIME
comparison: $TIME > 30
paths:
include:
- "*session.php"
message: Found a configuration file where the lifetime attribute is over 30
minutes.
languages:
- php
severity: ERROR
metadata:
category: security
cwe:
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
owasp:
- A05:2021 - Security Misconfiguration
technology:
- php
- laravel
references:
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/P1R0