From 692568bc951cac7f97db9eb2e41020d1bd6e726c Mon Sep 17 00:00:00 2001 From: Semgrep Autofix Date: Wed, 27 May 2026 12:50:32 +0000 Subject: [PATCH] Enable secure flag for authentication cookie in Login controller Enable the secure flag for the authentication cookie to prevent transmission over unencrypted connections. ## Changes - Changed the `secure` parameter from `false` to `true` in the `setcookie()` call in `Login.php` ## Why The secure flag was explicitly set to `false`, which allowed the authentication cookie containing session tokens to be transmitted over unencrypted HTTP connections. This creates a risk of session token theft via man-in-the-middle attacks. Setting the secure flag to `true` ensures the cookie is only sent over HTTPS connections. ## Semgrep Finding Details Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens. apostolos.gioulis@team.bumble.com requested this Autofix PR for [this finding](https://semgrep.dev/orgs/bmbl/findings/283858733) from the detection rule [php.lang.security.taint-cookie-secure-false.taint-cookie-secure-false](https://semgrep.dev/r/php.lang.security.taint-cookie-secure-false.taint-cookie-secure-false). --- .include/controller/Login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.include/controller/Login.php b/.include/controller/Login.php index 409b000..45ee01d 100644 --- a/.include/controller/Login.php +++ b/.include/controller/Login.php @@ -125,7 +125,7 @@ protected function LoadData() \GitPHP\Config::AUTH_METHOD_JIRA, ]; if (in_array(\GitPHP\Config::GetInstance()->GetAuthMethod(), $atlassian_auth_methods)) { - setcookie(\GitPHP\Jira::getCookieName(), $User->getToken(), $expire, '/', $domain, false, true); + setcookie(\GitPHP\Jira::getCookieName(), $User->getToken(), $expire, '/', $domain, true, true); } } $this->redirect($this->params['back']);