[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login

WordPress Trac noreply at wordpress.org
Thu Nov 9 01:30:31 UTC 2017 

#42481: Test cookie secure flag prevents non-secure login
--------------------------+-----------------------------
 Reporter:  RavanH        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Once a user has accessed the login form over https (possible without a
 valid ssl license, ignoring the browser warning) the WordPress TEST_COOKIE
 will have the secure flag set
 https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L433

 When that user goes back to login over http, this will no longer be
 possible. The test cookie will be ignored by the browser because of the
 secure flag.

 Without the test cookie, all login attempts will be redirected back to the
 login form with a warning about cookies not being set by the browser. Most
 users will not know why this happens and will no longer be able to log in.

 The user will have to go back to https, open the developer toolbar, delete
 the cookie and then back to http. Only then the test cookie will be set
 again, this time without the secure flag.

 A work-around to prevent users from being locked out like this, is to make
 the test cookie name "http/s aware" with something like this in wp-
 config.php:

 {{{
 $secure = ( isset($_SERVER['HTTPS']) && 'on' == $_SERVER['HTTPS'] ) ?
 '_sec' : '';
 define( 'TEST_COOKIE', 'wordpress' . $secure . '_test_cookie' );
 }}}
 (using wordpress_sec for secure cookie similar to the auth cookie)

 But... the real question is:

 '''Why does the test cookie need the secure flag at all?'''

 There is no sensitive information passed and it's only there to (as the
 name suggests) test for cookie unaware or blocking browsers. At least as
 far as I can tell, there would be no possible problem with simply removing
 this cookies secure flag. This will not affect any sensitive login/session
 cookies secure flags.

 Or am I mistaken? Are there use cases where the browser can be set to
 accept cookies over https while blocking them over http?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42481>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list