---
title: Use __Host- Prefix For Cookies
impact: MEDIUM
impactDescription: ensures cookie is domain-locked and secure from subdomain hijacking
tags: cookies, prefix, domain, security, php
---

## Use __Host- Prefix For Cookies

The `__Host-` prefix is a special cookie naming convention enforced by modern browsers. It provides strong guarantees that the cookie is only sent to the exact host that set it, preventing session hijacking or fixation attacks initiated from subdomains.

**Incorrect (standard cookie name):**

```php
// Name doesn't provide browser-level enforcement of security constraints
setcookie("session_id", $token, ['secure' => true, 'path' => '/']);
```

**Correct (__Host- prefix):**

```php
// 1. Using setcookie (PHP 7.3+)
setcookie("__Host-session", $token, [
    'secure' => true,     // REQUIRED for __Host-
    'path' => '/',        // REQUIRED for __Host-
    'httponly' => true,
    'samesite' => 'Strict',
    // 'domain' => '...', // MUST NOT BE SET for __Host-
]);

// 2. In Laravel (config/session.php)
'cookie' => '__Host-session',
'path' => '/',
'secure' => true,
```

**__Host- Prefix Requirements (Browser Enforced):**
1. **Must** have the `Secure` flag.
2. **Must** have a `Path` of `/`.
3. **Must NOT** have a `Domain` attribute (this locks it to the exact host).

**Alternative: __Secure- Prefix**
If you need to share the cookie across subdomains, use the `__Secure-` prefix. It only requires the `Secure` flag but still communicates that the cookie is sensitive.

```php
setcookie("__Secure-id", $token, ['secure' => true, 'domain' => '.example.com']);
```

**Tools:** Web Browser Cookie Audit, SonarQube, Manual Security Review