Description
Is your feature request related to a problem?
setcookie should have the $secure parameter be set to true in all cases for improved security.
There is no downside to it.
Optionally a separate rule that requires httponly true (can be easily disabled for phpcs:ignore if one needs them in js), again for improved security.
Describe the solution you'd like
If a/any setcookie function does not have true as the last parameter (if checking for httponly too - the last 2 parameters), throw an error.
setcookie($cookie_name);
setcookie($cookie_name, $cookie_value );
setcookie($cookie_name, $cookie_value, time() + (86400 * 30) );
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", '' );
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", 'test.com' );
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", '', true ); // this is correct
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", 'test.com', true ); // this is correct
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", '', false, true); // Attention here!
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/", '', true, true ); // this is correct
So it could work for:
setcookie
wc_setcookie
custom_setcookie
Additional context (optional)
This is relatively simple to check, EXCEPT that some plugins provide the flag to be filterable, which would be impossible to detect.
e.g.
wc_setcookie( $this->_cookie, $cookie_value, $this->_session_expiration, apply_filters( 'wc_session_use_secure_cookie', false ) );
However, there really is no reason in 2019, where you get SSL certs for free with letsencrypt, to not use secure cookies, thus I think we can ignore these filterable ones and flag them as wrong.