[wp-trac] [WordPress Trac] #61322: HTTPOnly attribute for WP Test Cookies

WordPress Trac noreply at wordpress.org
Wed May 29 22:39:21 UTC 2024 

#61322: HTTPOnly attribute for WP Test Cookies
------------------------------+-----------------------------
 Reporter:  earthman100       |      Owner:  (none)
     Type:  feature request   |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  Security          |    Version:  6.5.3
 Severity:  major             |   Keywords:
  Focuses:  coding-standards  |
------------------------------+-----------------------------
 This code does not set the HTTPOnly attribute for the test cookies.

 They continue to be flagged in automated security scans of our sites.

 Is there any reason for not setting these, or providing a hook to allow
 user control of the attributes?

 wp-login.php

 {{{#!php
 <?php


 // Set a cookie now to see if they are supported by the browser.
 $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
 setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN,
 $secure );

 if ( SITECOOKIEPATH !== COOKIEPATH ) {
         setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH,
 COOKIE_DOMAIN, $secure );
 }

 if ( isset( $_GET['wp_lang'] ) ) {
         setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0,
 COOKIEPATH, COOKIE_DOMAIN, $secure );
 }


 }}}


 Suggested modification (or add a hook for the final attribute):


 {{{#!php
 <?php


 // Set a cookie now to see if they are supported by the browser.
 $secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
 setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN,
 $secure, true );

 if ( SITECOOKIEPATH !== COOKIEPATH ) {
         setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH,
 COOKIE_DOMAIN, $secure, true );
 }

 if ( isset( $_GET['wp_lang'] ) ) {
         setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0,
 COOKIEPATH, COOKIE_DOMAIN, $secure, true );
 }


 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61322>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list