[wp-trac] [WordPress Trac] #52639: Add proper Security Attributes to the Cookies set by WordPress
WordPress Trac
noreply at wordpress.org
Wed Feb 24 13:52:21 UTC 2021
#52639: Add proper Security Attributes to the Cookies set by WordPress
-------------------------------+-------------------------------
Reporter: isaumya | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: coding-standards
-------------------------------+-------------------------------
Changes (by SergeyBiryukov):
* keywords: needs-patch => reporter-feedback
Comment:
Hi there, welcome to WordPress Trac! Thanks for the report.
Replying to [ticket:52639 isaumya]:
> Instead, WP Core can take advantage of `is_ssl()` function to check
whether or not to add the `secure` attribute. But the rest, i.e.
`HttpOnly`, `SameSite=Strict` should be part of each cookie.
In my testing, that is already the case:
* The `secure` attribute is set based on the `is_ssl()` value as of
WordPress 2.6. Relevant commits:
* [7998] / #7001
* [8069] / #7001
* [28627] / #15330.
* [28895] / #28427
* The `HttpOnly` attribute is set as of WordPress 2.7. Relevant commit:
* [8798] / #7677
* The `SameSite` attribute is indeed not currently added and is planned
for a future release, see #37000.
It's worth noting that `wp_set_auth_cookie()` is a pluggable function,
which means a plugin can redefine and modify it. Could that be the case on
your install?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52639#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list