So unfortunately someone is trying a cross script cookie attack to commit fraud on my site. I can see the header and all I think I need to do is change 3 things with the cookie they created (I have PHP v.7+)
My code to adjust the cookie
session_set_cookie_params( [
'lifetime' => 0,
'Max-Age' => 0,
'samesite' => 'Strict',
] );
So I expire Max-Age and lifetime and change the samesite to Strict (from Lax). This page doesn't use cookies and I want to just unset it. But I didn't think it was possible and the attacker set that elsewhere.
I made a test program but I don't think this code works. What am I doing wrong and how can I change this malicious cookie or just destroy it.
Sample header (I cleaned this a bit because it was long)
====
{"date":"Tue, 28 Jul 2024 20:47:06 GMT","content-type":"text/html; charset=UTF-8","transfer-encoding":"chunked","connection":"close","x-powered-by":"PHP/8.3.9","cache-control":"no-cache, private","content-security-policy":"default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline'","set-cookie":["applocale=xx; expires=Thu, 28 Aug 2024 20:47:04 GMT; Max-Age=2591998; path=/; secure; httponly; samesite=lax","XSRF-TOKEN=xx; expires=Tue, 28 Jul 2024 22:47:06 GMT; Max-Age=7200; path=/; secure;
What I have tried:
I wrote code to modify the cookie but I don't think this works.