[wp-trac] Re: [WordPress Trac] #7677: WordPress should implement
HttpOnly Cookies to slow down XSS
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 4 19:38:13 GMT 2008
#7677: WordPress should implement HttpOnly Cookies to slow down XSS
----------------------------------------------+-----------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.7
Component: Security | Version:
Severity: major | Resolution:
Keywords: cookies needs-patch dev-reviewed |
----------------------------------------------+-----------------------------
Comment (by _ck_):
I'm not sure if you are asking me or if you are saying it won't work?
The $secure argument is just telling PHP to only send the cookie if the
connection should be SSL (https).
It does not interfere with the domain and therefore should not be affected
by the `HttpOnly` hack?
Based on your patch it should be as simple as:
{{{
} else {
setcookie($auth_cookie_name, $auth_cookie,
$expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN.'; HttpOnly', $secure);
setcookie($auth_cookie_name, $auth_cookie,
$expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN.'; HttpOnly', $secure);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie,
$expire, COOKIEPATH, COOKIE_DOMAIN.'; HttpOnly');
if ( COOKIEPATH != SITECOOKIEPATH )
setcookie(LOGGED_IN_COOKIE,
$logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN.'; HttpOnly');
}
}}}
ps. I have a survey of 4000 bbPress sites and one out of three of them are
still running PHP 4.3 or 4.4. I suspect WordPress will have similar stats
(Matt probably knows exactly from the phone home data during the upgrade
check).
--
Ticket URL: <http://trac.wordpress.org/ticket/7677#comment:13>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list