[wp-trac] [WordPress Trac] #61322: HTTPOnly attribute for WP Test Cookies
WordPress Trac
noreply at wordpress.org
Wed May 29 22:39:21 UTC 2024
#61322: HTTPOnly attribute for WP Test Cookies
------------------------------+-----------------------------
Reporter: earthman100 | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.5.3
Severity: major | Keywords:
Focuses: coding-standards |
------------------------------+-----------------------------
This code does not set the HTTPOnly attribute for the test cookies.
They continue to be flagged in automated security scans of our sites.
Is there any reason for not setting these, or providing a hook to allow
user control of the attributes?
wp-login.php
{{{#!php
<?php
// Set a cookie now to see if they are supported by the browser.
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN,
$secure );
if ( SITECOOKIEPATH !== COOKIEPATH ) {
setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH,
COOKIE_DOMAIN, $secure );
}
if ( isset( $_GET['wp_lang'] ) ) {
setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0,
COOKIEPATH, COOKIE_DOMAIN, $secure );
}
}}}
Suggested modification (or add a hook for the final attribute):
{{{#!php
<?php
// Set a cookie now to see if they are supported by the browser.
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN,
$secure, true );
if ( SITECOOKIEPATH !== COOKIEPATH ) {
setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH,
COOKIE_DOMAIN, $secure, true );
}
if ( isset( $_GET['wp_lang'] ) ) {
setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0,
COOKIEPATH, COOKIE_DOMAIN, $secure, true );
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61322>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list