Support » Plugin: HTTP Headers » Cookie Security won’t set

  • Resolved morris373

    (@morris373)


    Hi
    I have set the Cookie Security to On with the following settings Secure, HttpOnly and samesite=Lax.

    When I save it, it doesn’t appear in the Http Headers in the .htaccess file. Should it save the settings there or does it do something else?

    Thanks

    Morris

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Dimitar Ivanov

    (@zinoui)

    If your server API is some CGI then the settings you’ve mentioned above should be stored in your user-ini.filename

    session.cookie_httponly = on
    session.cookie_secure = on
    session.cookie_samesite = "Lax"

    otherwise in your .htaccess file:

    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite Lax

    So, I guess you’re using some CGI SAPI.

    Thread Starter morris373

    (@morris373)

    Hi Dimitar
    Thank you for your quick reply.

    I needed the 2nd one as I am using the .htaccess file.

    I have added it in and saved the file.

    The website results I need help with: https://observatory.mozilla.org/analyze/friendsofllandyfeisantchurch.org

    When I run Observatory by Mozilla and under Test Scores, it says ‘Session cookie set without using the HttpOnly flag’. I thought by adding the lines above would have set it up correctly using HttpOnly.

    Looking at the Cookies further down, PHPSESSID is not Secure or HttpOnly, also cf7mm_check is not Secure or HttpOnly either.

    So I don’t understand with what’s going on or even if it has gone wrong somewhere. I did manage to add `Header set set-cookie path=/;secure;HttpOnly;samesite=lax and that shows up in the results.

    How can we fix PHPSESSID and cf7mm_check to be secure and HttpOnly?

    Morris

    Thread Starter morris373

    (@morris373)

    Hi Dimitar
    I found this piece of code on this website (https://www.tunetheweb.com/security/http-security-headers/secure-cookies/) that I added to the .htaccess file:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"

    And it worked, the Observatory Results now gives me a Tick. When I check the Cookies section of the report both HttpOnly and Secure is ticked.

    Test Scores now read: All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag.

    Maybe you could add that line into your plugin….

    Morris

    Thread Starter morris373

    (@morris373)

    Hi Dimitar
    You can also add samesite=lax or strict like below:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure;samesite=lax"

    Morris

    Plugin Author Dimitar Ivanov

    (@zinoui)

    Hi @morris373

    Definitely I will consider your suggestion on very next release.

    Thanks

    Set cookie security is not functioning for me either.

    Not sure what do do with the code above or where to put it.

    How would I write a line to go in the FilesMatch so that I get:

    SameSite=None Secure

    I tried several combinations and it just won’t write it to my .htaccess file

    e.g.
    Header set Cookie-Security “SameSite=None; ‘secure'”

    I’m trying to solve this:

    A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute.
    cookies with cross-site requests require SameSite=None and Secure.

    I have the same issue too. Even the httponly and secure is set, it doesn’t set the cookie with HttpOnly and Secure.

    It seems to be working now after adding the following line ‘Header set Set-Cookie HttpOnly;Secure’ right before # END WordPress in .htaccess

    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    Header set Set-Cookie HttpOnly;Secure
    
    # END WordPress
    # BEGIN HttpHeaders
    # The directives (lines) between "BEGIN HttpHeaders" and "END HttpHeaders" are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_headers.c>
      Header always set X-Content-Type-Options "nosniff"
      <FilesMatch "\.(php|html)$">
        Header set X-Frame-Options "SAMEORIGIN"
        Header set X-XSS-Protection "1"
        Header set Pragma "no-cache"
        Header set Cache-Control "must-revalidate, no-cache, no-store"
      </FilesMatch>
    </IfModule>
    
    # BEGIN HttpHeadersCookieSecurity
    # The directives (lines) between "BEGIN HttpHeadersCookieSecurity" and "END HttpHeadersCookieSecurity" are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    # END HttpHeadersCookieSecurity
    
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Cookie Security won’t set’ is closed to new replies.