Update rule metadata (#1673)

hashicorp-vault-sonar-prod[bot] · nils-werner-sonarsource · web-flow · commit a5b1fdda8ac6 · 2026-04-10T08:05:43.000+02:00
Co-authored-by: nils-werner-sonarsource &lt;nils-werner-sonarsource@users.noreply.github.com&gt;
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html
@@ -1,54 +1,45 @@
 <p>When a cookie is protected with the <code>secure</code> attribute set to <em>true</em> it will not be send by the browser over an unencrypted HTTP
 request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.</p>
-<h2>Ask Yourself Whether</h2>
-<ul>
-  <li>the cookie is for instance a <em>session-cookie</em> not designed to be sent over non-HTTPS communication.</li>
-  <li>it’s not sure that the website contains <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content">mixed content</a> or not
-  (ie HTTPS everywhere or not)</li>
-</ul>
-<p>There is a risk if you answered yes to any of those questions.</p>
-<h2>Recommended Secure Coding Practices</h2>
-<ul>
-  <li>It is recommended to use <code>HTTPs</code> everywhere so setting the <code>secure</code> flag to <em>true</em> should be the default behaviour
-  when creating cookies.</li>
-  <li>Set the <code>secure</code> flag to <em>true</em> for session-cookies.</li>
-</ul>
-<h2>Sensitive Code Example</h2>
+<h2>Why is this an issue?</h2>
+<p>When a cookie is created without the <code>secure</code> attribute set to <code>true</code>, browsers will transmit it over unencrypted HTTP
+connections as well as HTTPS. An attacker who can observe or intercept network traffic—for example on a public Wi-Fi network—can read the cookie value
+in cleartext.</p>
+<h3>What is the potential impact?</h3>
+<h4>Session hijacking</h4>
+<p>If a session cookie is transmitted over an unencrypted HTTP connection, an attacker who can intercept the traffic can steal it. With a valid
+session cookie, the attacker can impersonate the victim and gain full access to their account without knowing their password. Even on sites that
+primarily use HTTPS, a single HTTP request containing the session cookie is enough to expose it.</p>
+<h2>How to fix it in Core PHP</h2>
+<p>Set the <code>secure</code> parameter to <code>true</code> when creating cookies to prevent them from being transmitted over unencrypted HTTP
+connections.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
 <p>In <em>php.ini</em> you can specify the flags for the session cookie which is security-sensitive:</p>
-<pre>
-session.cookie_secure = 0; // Sensitive: this security-sensitive session cookie is created with the secure flag set to false (cookie_secure = 0)
+<pre data-diff-id="1" data-diff-type="noncompliant">
+session.cookie_secure = 0; // Noncompliant
 </pre>
 <p>Same thing in PHP code:</p>
-<pre>
-session_set_cookie_params($lifetime, $path, $domain, false);
-// Sensitive: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_
+<pre data-diff-id="2" data-diff-type="noncompliant">
+session_set_cookie_params($lifetime, $path, $domain, false);  // Noncompliant: this security-sensitive session cookie is created with the secure flag (the fourth argument) set to _false_
 </pre>
 <p>If you create a custom security-sensitive cookie in your PHP code:</p>
-<pre>
-$value = "sensitive data";
-setcookie($name, $value, $expire, $path, $domain, false);  // Sensitive: a security-sensitive cookie is created with the secure flag  (the sixth argument) set to _false_
-</pre>
-<p>By default <a href="https://www.php.net/manual/en/function.setcookie.php"><code>setcookie</code></a> and <a
-href="https://www.php.net/manual/en/function.setrawcookie.php"><code>setrawcookie</code></a> functions set the sixth argument / <code>secure</code>
-flag to <em>false:</em></p>
-<pre>
+<pre data-diff-id="3" data-diff-type="noncompliant">
 $value = "sensitive data";
-setcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
-setrawcookie($name, $value, $expire, $path, $domain);  // Sensitive: a security-sensitive cookie is created with the secure flag (the sixth argument) not defined (by default to false)
+setcookie($name, $value, $expire, $path, $domain, false);  // Noncompliant: a security-sensitive cookie is created with the secure flag  (the sixth argument) set to _false_
 </pre>
-<h2>Compliant Solution</h2>
-<pre>
-session.cookie_secure = 1; // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to cookie_secure property set to 1
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+session.cookie_secure = 1;
 </pre>
-<pre>
-session_set_cookie_params($lifetime, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the fouth argument) set to true
+<pre data-diff-id="2" data-diff-type="compliant">
+session_set_cookie_params($lifetime, $path, $domain, true);
 </pre>
-<pre>
+<pre data-diff-id="3" data-diff-type="compliant">
 $value = "sensitive data";
-setcookie($name, $value, $expire, $path, $domain, true); // Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth  argument) set to true
-setrawcookie($name, $value, $expire, $path, $domain, true);// Compliant: the sensitive cookie will not be send during an unencrypted HTTP request thanks to the secure flag (the sixth argument) set to true
+setcookie($name, $value, $expire, $path, $domain, true);
 </pre>
-<h2>See</h2>
+<h2>Resources</h2>
+<h3>Standards</h3>
 <ul>
   <li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>
   <li>OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a></li>
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.json
@@ -1,6 +1,7 @@
 {
-  "title": "Creating cookies without the \"secure\" flag is security-sensitive",
-  "type": "SECURITY_HOTSPOT",
+  "title": "Cookies should have the \"secure\" flag",
+  "type": "VULNERABILITY",
+  "quickfix": "unknown",
   "code": {
     "impacts": {
       "SECURITY": "LOW"
@@ -14,6 +15,7 @@
   },
   "tags": [
     "cwe",
+    "former-hotspot",
     "privacy"
   ],
   "defaultSeverity": "Minor",
diff --git a/sonarpedia.json b/sonarpedia.json
@@ -3,7 +3,7 @@
   "languages": [
     "PHP"
   ],
-  "latest-update": "2026-03-19T05:34:08.225567209Z",
+  "latest-update": "2026-04-09T05:41:07.653307556Z",
   "options": {
     "no-language-in-filenames": true,
     "preserve-filenames": true
