[wp-trac] [WordPress Trac] #36785: Filter for httponly cookie
WordPress Trac
noreply at wordpress.org
Tue May 10 12:57:56 UTC 2016
#36785: Filter for httponly cookie
------------------------------------+------------------------------
Reporter: IAmJulianAcosta | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.5.2
Severity: normal | Resolution:
Keywords: | Focuses:
------------------------------------+------------------------------
Comment (by IAmJulianAcosta):
Hi! I'm talking about specific case when you have to read auth cookie in a
web app that uses WordPress users and auth cookie from WordPress for its
own auth. I have this particular case, and would be nice if we have an
option to modify it. I don't se why would be people that change this
setting for no reason.
Replying to [comment:1 swissspidy]:
> Hey there,
>
> Welcome to trac and thanks for creating this ticket!
>
> > Sometimes is necessary to send auth cookies without httponly
>
> Can you tell us about specific use cases where this is '''absolutely
necessary''' and cannot be circumvented by using a separate cookie?
>
> > I know that this could represent a security issue
>
> It does, that's why `httponly` was added '''on purpose''' in #7677.
>
> > I'm pretty sure that any developer modifying this, is pretty sure
about what is doing.
>
> Never be too sure about this, really. There will always be people that
would change this for no reason, or seem to be sure about it and forget to
deactivate it on their production site.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36785#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list