[wp-trac] [WordPress Trac] #34159: Tweak the secure cookie flag logic for some cookies
WordPress Trac
noreply at wordpress.org
Tue Oct 6 00:51:12 UTC 2015
#34159: Tweak the secure cookie flag logic for some cookies
--------------------------+-------------------------
Reporter: johnbillion | Owner:
Type: defect (bug) | Status: new
Priority: low | Milestone: 4.4
Component: Security | Version: 4.0
Severity: minor | Keywords: needs-patch
Focuses: |
--------------------------+-------------------------
The URLs that are used when determining whether to set the `secure` flag
on the user settings cookies and the test cookie aren't always
appropriate.
1. If a site's `home` and `siteurl` URLs use `http` but `FORCE_SSL_ADMIN`
is used, then the secure flag won't be set on user settings cookies.
[https://core.trac.wordpress.org/browser/tags/4.3.1/src/wp-
includes/option.php#L786 Ref]. This should use `admin_url()` instead.
2. If a site's `home` URL uses `http` but the login form uses `https`
then the secure flag won't be set on the test cookie.
[https://core.trac.wordpress.org/browser/tags/4.3.1/src/wp-login.php#L443
Ref]. This should use `wp_login_url()` instead.
Introduced in #28427
Related: #29641
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34159>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list