[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login
WordPress Trac
noreply at wordpress.org
Thu Nov 9 17:28:25 UTC 2017
#42481: Test cookie secure flag prevents non-secure login
------------------------------------+------------------------------
Reporter: RavanH | Owner:
Type: defect (bug) | Status: new
Priority: low | Milestone: Awaiting Review
Component: Login and Registration | Version:
Severity: normal | Resolution:
Keywords: close | Focuses:
------------------------------------+------------------------------
Changes (by johnbillion):
* keywords: => close
* priority: normal => low
* version: trunk =>
Comment:
Thanks for the report.
This strikes me as an edge case and something that doesn't really need
fixing. It requires a server which responds over HTTPS but which is not
configured to serve a particular domain over HTTPS, and a user who
manually navigates to an HTTPS login URL, and who then subsequently
intentionally ignores the security roadblocks presented by the browser.
If your server is set up to serve HTTPS for the requested domain,
WordPress will allow you to log in over HTTPS regardless of the scheme set
in the site's URL settings. Therefore, if any one of the three
prerequisites above don't apply, then the issue won't occur.
The test cookie is a session cookie. If the user closes their browser, the
cookie will be removed.
Regarding the question '''Why does the test cookie need the secure flag at
all?''', the answer is that there is no need for it to ''not'' use the
secure flag when logging in over HTTPS.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42481#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list