[wp-trac] [WordPress Trac] #36785: Filter for httponly cookie
WordPress Trac
noreply at wordpress.org
Thu May 12 07:14:14 UTC 2016
#36785: Filter for httponly cookie
------------------------------------+------------------------------
Reporter: IAmJulianAcosta | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.5.2
Severity: normal | Resolution:
Keywords: 2nd-opinion close | Focuses:
------------------------------------+------------------------------
Changes (by dd32):
* keywords: 2nd-opinion => 2nd-opinion close
Comment:
I see no reason why the auth cookies should be made available in this
manner, it's just adding the ability for a developer to shoot themselves
in the foot with a vulnerability.
If JS needs to know the logged in user, it should use it's own cookie
which is set through `wp_localize_script()` or similar, making available
the full auth cookie is just asking for a bad time.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36785#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list