—

Why it Matters

Cookies carry session IDs and authentication tokens. If not protected, attackers can steal them through insecure channels or client-side scripts. A stolen cookie lets an attacker impersonate a customer or even an admin.

The Secure flag makes sure cookies are only sent over HTTPS. The HttpOnly flag blocks JavaScript from reading cookies, reducing XSS impact. The SameSite flag helps mitigate CSRF by controlling cross-site cookie usage. Together, these flags provide strong protection for session handling.

Verification Steps

# Open browser dev tools → Application → Storage → Cookies
# Check session cookies like PHPSESSID or frontend
# Expected: Secure; HttpOnly; SameSite=Lax (or Strict)

curl -I https://yourstore.com | grep -i set-cookie
# Should show Secure and HttpOnly flags

Remediation / Fix Guidance

1. Enable cookie security settings in Magento Admin:

   Stores → Configuration → General → Web → Default Cookie Settings
   - Use HTTP Only: Yes
   - Cookie Secure: Yes

2. Ensure the site runs under HTTPS, otherwise Secure cookies will not work.
3. Patch or configure custom modules to add HttpOnly and SameSite when setting cookies.
4. Test login, checkout, and session persistence after changes.

Examples

Set-Cookie: PHPSESSID=abcd1234; path=/; domain=mystore.com
# Missing Secure, HttpOnly, SameSite

Set-Cookie: PHPSESSID=abcd1234; path=/; domain=mystore.com; Secure; HttpOnly; SameSite=Lax

References

• OWASP Top 10 — A07: Identification and Authentication Failures
• OWASP — HttpOnly
• MDN — SameSite Cookies