[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login

WordPress Trac noreply at wordpress.org
Thu Nov 9 17:28:25 UTC 2017

#42481: Test cookie secure flag prevents non-secure login
 Reporter:  RavanH                  |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  low                     |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  close                   |     Focuses:
Changes (by johnbillion):

 * keywords:   => close
 * priority:  normal => low
 * version:  trunk =>


 Thanks for the report.

 This strikes me as an edge case and something that doesn't really need
 fixing. It requires a server which responds over HTTPS but which is not
 configured to serve a particular domain over HTTPS, and a user who
 manually navigates to an HTTPS login URL, and who then subsequently
 intentionally ignores the security roadblocks presented by the browser.

 If your server is set up to serve HTTPS for the requested domain,
 WordPress will allow you to log in over HTTPS regardless of the scheme set
 in the site's URL settings. Therefore, if any one of the three
 prerequisites above don't apply, then the issue won't occur.

 The test cookie is a session cookie. If the user closes their browser, the
 cookie will be removed.

 Regarding the question '''Why does the test cookie need the secure flag at
 all?''', the answer is that there is no need for it to ''not'' use the
 secure flag when logging in over HTTPS.

Ticket URL: <https://core.trac.wordpress.org/ticket/42481#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list