Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
This is the worst result on my pen test. I have never EVER touched anything to do with cookies on this app so I'm wondering why Laravel has this set like this out of the box?
OR... is this pen test talking shit?
Here's what it says"
Risk description
Since the `Secure` flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.
Recommendation
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
Any thoughts?
You should be using https anyway ?
Then create .env value of true for SESSION_SECURE_COOKIE
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
Oh yeah I 100% am using https. Thanks for the env variable tip I'll do that now.
Please or to participate in this conversation.