[wp-trac] [WordPress Trac] #52639: Add proper Security Attributes to the Cookies set by WordPress
WordPress Trac
noreply at wordpress.org
Mon Jun 20 14:36:46 UTC 2022
#52639: Add proper Security Attributes to the Cookies set by WordPress
-------------------------------+-------------------------------
Reporter: isaumya | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: coding-standards
-------------------------------+-------------------------------
Comment (by jornfranke):
I see this as a clear security issue if the cookie with the session id is
available to JS. For instance, a cross site scripting attack can easily
steal the cookie and provide it to third parties.
There should be multiple defense mechanisms. HttpOnly and Secure are
mandatory for sessions in cookies. There is also no doubt on that (e.g.
see here: https://owasp.org/www-community/HttpOnly).
The insecure WP User Setting API needs to be fixed - not by making
WordPress at a whole insecure.
It is bad for the reputation of WordPress security if HttpOnly, Secure,
SameSite=Strict is not enforced on all WordPress session cookies.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52639#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list