[wp-trac] [WordPress Trac] #36785: Filter for httponly cookie.
WordPress Trac
noreply at wordpress.org
Mon May 9 01:20:19 UTC 2016
#36785: Filter for httponly cookie.
------------------------------------+-----------------------------
Reporter: IAmJulianAcosta | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.5.2
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Sometimes is necessary to send auth cookies without httponly, so I'm
proposing a filter to modify this behavior with an action:
plugabble.php
{{{
$http_only = true;
$http_only = apply_filters ('http_only_auth_cookie', $http_only);
setcookie($auth_cookie_name, $auth_cookie, $expire,
PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
setcookie($auth_cookie_name, $auth_cookie, $expire,
ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire,
COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);
if ( COOKIEPATH != SITECOOKIEPATH )
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire,
SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);
}}}
functions.php
{{{
function disable_http_only_cookie ($http_only) {
return false;
}
add_filter( 'http_only_auth_cookie', 'disable_http_only_cookie' );
}}}
I know that this could represent a security issue, but I'm pretty sure
that any developer modifying this, is pretty sure about what is doing.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36785>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list