Missing HTTPOnly Cookie Attribute in Laravel 7

Question

I have a Laravel site, I thought I patched this issue already.

I got these in my session.php

'secure'    => true,
'http_only' => true,

But OpenVas still detected that I still need to it.

It also listed it 3 times

Am I missing anything else ? or this is a potential false positive from OpenVas ?

score 3 · Answer 1 · answered May 30 '20 at 06:06

httponly
If set to TRUE then PHP will attempt to send the httponly flag when setting the session cookie.

From your code:

'http_only' => true,

Thus, it looks like you spelled it wrong, i.e. you spelled http_only whereas it should be httponly.

1 Answers1