[wp-trac] [WordPress Trac] #52639: Add proper Security Attributes to the Cookies set by WordPress

Wed Feb 24 13:17:12 UTC 2021

#52639: Add proper Security Attributes to the Cookies set by WordPress
------------------------------+-----------------------------
 Reporter:  isaumya           |      Owner:  (none)
     Type:  enhancement       |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  Security          |    Version:
 Severity:  normal            |   Keywords:  needs-patch
  Focuses:  coding-standards  |
------------------------------+-----------------------------
 Hi,
 I have come across this security matter while we were developing a project
 using WordPress as the CMS for the Government. As Government sites go
 through a strict security audit that's is where I came across this matter.

 Apparently, all the cookies that are set by WordPress don't have any of
 the security attributes like `secure`, `HttpOnly`, `SameSite=Strict` in
 them. This means these cookies can be accessed any way a script wants.

 Not just WP Core but even almost all popular plugins like WooCommerce
 doesn't follow these security practices, I don't know why. Just adding a
 few extra parameters to a Cookie can make it quite secure and stop it from
 being accessed however a script wants.

 But here I'm focusing on the WP Core as other plugins look at the coding
 standards of WP Core and try to follow that. So, implementing these basic
 security practices in WP Core will lead to many other plugins following
 the same path and creating a more secure system.

 **Now if we focus on a very basic `/wp-login.php` page:**

 We can see only the `wordpress_test_cookie` has `secure` attribute in them
 while every other cookie simply has Cookie Name, Value, Expiration Date,
 Max-Age & Path; i.e. only the bare necessary things for that cookie to
 work and ignoring all other security features. Here is a screenshot:

 [[Image(https://i.imgur.com/zbyvDBo.png)]]

 Instead, WP Core can take advantage of `is_ssl()` function to check
 whether or not to add the `secure` attribute. But the rest, i.e.
 `HttpOnly`, `SameSite=Strict` should be part of each cookie.

 **Take a look at WooCommerce cookies now:**

 I know WooCommerce issue is out of context here as here we are only
 focusing on WP Core, but I am showing this just to show how widespread
 this issue is.

 [[Image(https://i.imgur.com/ekz8Qr8.png)]]

 So, maybe if WP Core implements these security features it will push
 others to do the same.

 Please note that this is not specific to WP Admin login page but almost
 all cookies added by WordPress. Would love to see these security
 attributes get added into cookies added by WP Core.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52639>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform