Rule Definition
The software constructs all or part of cookie via user-controllable inputs. These inputs are not neutralized or are incorrectly neutralized. As a consequence, the cookie value may be completely altered. The risk of setting arbitrary cookies depends on further application configuration. For instance : - Session Fixation: If the authentication cookie doesn't change after a successful login an attacker could fixate the session cookie. If a victim logs in with a fixated cookie, the attacker can now take over the session of the user. - Cross-Site-Scripting (XSS): Some application code could read cookies and print it out unsanitized to the user.

Remediation
If this is required functionality, limit the cookie setting to values and not the name. (e.g. authtoken in the example) Make sure to change session tokens after authentication attempts.

Violation Code Sample

<?php

function setCookies(PDOStatement $stmt) : void {
    $stmt->execute();
    $row = $stmt->fetchAll();
    foreach ($rows as $row) {
        $name = $row['name'];
        $value = $row['value'];
        setcookie($name, $value);    // VIOLATION
    }
}

Fixed Code Sample

<?php

/**
* @psalm-taint-escape cookie
*/
function my_escaping_function_for_cookies(string input) : string {
    // Check that input is safe for my cookies
};

CWE-384: Session Fixation https://cwe.mitre.org/data/definitions/384.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10-2017_A1-Injection OWASP Top Ten 2021 Category A03:2021 - Injection https://owasp.org/Top10/A03_2021-Injection/ OWASP Cheat Sheet Series - Session Management Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html