Title: Cookie without HttpOnly
Last modified: August 22, 2016

---

# Cookie without HttpOnly

 *  Resolved [SSavage](https://wordpress.org/support/users/ssavage/)
 * (@ssavage)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/)
 * Hello,
    I am using the Sucuri Security Plugin for a client at [http://www.tomblubaugh.net](http://www.tomblubaugh.net)
   using Striking Multiflex as the theme and it is a great tool with great instructions
   on securing and hardening a wordpress website, thank you.
 * I have one warning listed during the malware scan that I cannot seem to get rid
   of.
 * Cookie without HttpOnly
    We identified a Cookie on your site that was not set
   as HttpOnly. [http://kb.sucuri.net/warnings/hardening/cookies-httponly](http://kb.sucuri.net/warnings/hardening/cookies-httponly)
 * The link says to use ‘Set-Cookie: COOKIE=VAL; path=/; domain=.domain.com; secure;
   HttpOnly’ to set your cookies; however, it does not explain where to put this
   code and neither does the two sub-links explaining this process.
 * I have researched other ways to set cookies but none seem to remove this warning
   from the plugin.
 * Where should this code be placed and/or Is it possible to determine which cookie
   is causing this warning?
 * Thank you for all your help,
    Shawn
 * [https://wordpress.org/plugins/sucuri-scanner/](https://wordpress.org/plugins/sucuri-scanner/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5887988)
 * The articles referenced in the post are ambiguous deliberately because the information
   of the response headers depends on the technology used to power the website, 
   each programming language and technology stack has its own way to do this.
 * In this case you mentioned a website that was built on top of WordPress which
   is powered by PHP, so you can add the _“HttpOnly”_ flag to the cookies using 
   either the _“setcookie”_ or _“setrawcookie”_ functions, or you can achieve the
   same result adding headers manually like this:
 *     ```
       setcookie(
           $name,    // Name of the cookie.
           $value,   // Value of the cookie.
           $expire,  // Time the cookie expires in Unix timestamp.
           $path,    // Path on the server in which the cookie will be.
           $domain,  // The domain that the cookie is available to.
           $secure,  // Transmitted only over a secure HTTPS connection.
           $httponly // Make accessible only through the HTTP protocol.
       );
       setrawcookie( [same parameter as setcookie] );
       header( 'Set-Cookie: name=value; HttpOnly' );
       ```
   
 * It is worth to mentioned that SiteCheck, which is the scanner that powers the
   Malware Scan page available in the plugin, will displays the warning if at least
   one cookie _(in case that there are more than one)_ is missing the _“HttpOnly”_
   flag. For instance, the website mentioned above has two cookies _(at the moment)_
   and only one of them is secured.
 * Reference: [How do you set up use HttpOnly cookies in PHP](http://stackoverflow.com/a/36885)
 *  Thread Starter [SSavage](https://wordpress.org/support/users/ssavage/)
 * (@ssavage)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888058)
 * Thank you Yoman, and may I ask does this go into the wp-config.php, htacess, 
   functions.php, plugables.php, or where?
 * Shawn
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888102)
 * The best location for the manipulation of the headers is the first file that 
   is being called when the website is being loaded, in this case it would be the
   main _“index.php”_ file, but it is not recommended to edit WordPress core files
   so I would say that you can add the cookie flag in the main file of your current
   theme.
 * Try adding these three lines [1] at the beginning of the _“index.php”_ file located
   here [3], if that does not works or the file does not exists then try to add 
   these three lines [2] in the main _“.htaccess”_ file [4], and if that does not
   works then I would ask your hosting provider to help you with that, they must
   know that server where your website is being hosted better than you and me.
 *     ```
       [1] First option for index.php file.
       @ini_set('session.cookie_httponly', 'On');
       @ini_set('session.cookie_secure', 'On');
       @ini_set('session.use_only_cookies', 'On');
       ```
   
 *     ```
       [2] Second option for .htaccess file.
       php_flag session.cookie_httponly On
       php_flag session.cookie_secure On
       php_flag session.use_only_cookies On
       ```
   
 * [3] [http://tomblubaugh.net/wp-content/themes/striking_r/index.php](http://tomblubaugh.net/wp-content/themes/striking_r/index.php)
   [
   4] [http://tomblubaugh.net/.htaccess](http://tomblubaugh.net/.htaccess)
 *  Thread Starter [SSavage](https://wordpress.org/support/users/ssavage/)
 * (@ssavage)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888137)
 * Thank you Yoman,
 * Inserting the code in the index.php file did not remove the warning from the 
   Sucuri Malware Scan.
 * Adding the code in the .htaccess returned a 501 error when refreshing website.
   I then wrapped the code
 * <IfModule php5_module>
    php_flag session.cookie_httponly on php_flag session.
   cookie_secure On php_flag session.use_only_cookies On </IfModule>
 * and the 501 error went away; however, I have to wait at least 20 mins to clear
   the malware scan cache before running it again.
 * Just FYI, I had already added the if statements to the .htaccess file but with
   only the one line for httponly.
 *  Thread Starter [SSavage](https://wordpress.org/support/users/ssavage/)
 * (@ssavage)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888145)
 * Thank you for all the help. Item warning is still there. I will get with my server
   host.
 *  [yorman](https://wordpress.org/support/users/yorman/)
 * (@yorman)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888147)
 * Yes, that is better, they usually give better support considering that they are
   the ones managing the servers. I can only provide ambiguous information because
   I do not know much about the configuration of the site or its server.
 * By the way, you do not need to wait ~20 minutes to run a new malware scan, you
   can run a new/fresh scan every time you want as long as you reset the cache that
   the plugin generates. Go to the _“Scanner Settings”_ and you will find there 
   an option that says _“Reset SiteCheck Logs”_ click that button and the _“Malware
   Scan”_ will be reset immediately.
 *  [David](https://wordpress.org/support/users/dcrabill/)
 * (@dcrabill)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888284)
 * Thanks so much, Yorman, for all your help on this. The last tidbit about resetting
   the sitecheck logs is a lifesaver!
 * I’ve spent hours trying to figure this out, and I’ve learned a lot. I changed
   my php.ini file, and I’ve also added `@ini_set('session.cookie_httponly', 'On');`
   to wp-config.php. That correctly enables that setting in PHP, which I can confirm
   with `ini_get('session.cookie_httponly');`.
 * However, that does not eliminate the error. As it turns out, any plugin that 
   tries calling `session_start()` will also cause this error to come up. This is
   happening in three of my plugins: WordPress Social Login, Paid Memberships Pro,
   and WC Vendors.
 * It is possible to eliminate the error by calling `session_start()` in the plugin
   with the `init` action, like so:
 *     ```
       function wsl_start_session() {
           if ( ! session_id() ) {
               @session_start();
           }
       }
       add_action( 'init', 'wsl_start_session', 1 );
       ```
   
 * However, I have not confirmed that the cookies function properly under this setting.
   My question is: is this actually the plugin’s fault, or is it a problem with 
   Sucuri’s check? It’s worth noting that a plugin consisting only of:
 *     ```
       if ( ! session_id() ) {
           @session_start();
       }
       ```
   
 * will throw the error, so it’s unrelated to the other contents of those plugins.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Cookie without HttpOnly’ is closed to new replies.

 * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755)
 * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/)
 * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/)

## Tags

 * [cookie](https://wordpress.org/support/topic-tag/cookie/)
 * [Set-Cookie](https://wordpress.org/support/topic-tag/set-cookie/)

 * 7 replies
 * 3 participants
 * Last reply from: [David](https://wordpress.org/support/users/dcrabill/)
 * Last activity: [10 years, 9 months ago](https://wordpress.org/support/topic/cookie-without-httponly/#post-5888284)
 * Status: resolved