[wp-trac] [WordPress Trac] #52639: Add proper Security Attributes to the Cookies set by WordPress
WordPress Trac
noreply at wordpress.org
Fri Aug 23 23:54:22 UTC 2024
#52639: Add proper Security Attributes to the Cookies set by WordPress
-------------------------------+-------------------------------
Reporter: isaumya | Owner: (none)
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: reporter-feedback | Focuses: coding-standards
-------------------------------+-------------------------------
Changes (by azaozz):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
May be missing something but looking at the screenshots with the
"insecure" cookies, all are `expires=Tue, 25-Feb-2020 ...` however this
ticket was opened on 02/24/2021, one year later. So unless the screenshots
were made exactly one year earlier these all seem to be attempts to delete
cookies if they exist, not to set or retrieve them? That may be how the
testing software works, seems it may be looking at the HTTP headers as
well as JS. But I'm unsure what is proven by these "delete a cookie"
calls?
Testing in WP 6.6.1 (current release) and trunk/6.7-alpha I don't seem to
be able to access any of the mentioned cookies from JS. The only cookie
that is accessible is `wordpress_test_cookie=WP%20Cookie%20check;`. As
explained by @TimothyBlynJacobs above it is designed to work that way and
that is not a security concern. All other cookies seem to be properly set
to secure, HttpOnly, etc. see
https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-
includes/pluggable.php#L1092.
Closing this as invalid as it appears the concerns have been addressed.
Feel free to reopen if you believe this is still a security concern, i.e.
if you can access any of the secure WP cookies from JS.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52639#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list