WordPress.org

Ready to get started?Download WordPress

Forums

Download Monitor
[resolved] HttpOnly cookie (4 posts)

  1. mdmower
    Member
    Posted 6 months ago #

    Is there a reason why you set the HttpOnly flag to false in the wp_dlm_downloading cookie? General practice is to set HttpOnly=true to avoid XSS vulnerabilities.

    In includes/class-dlm-download-handler.php:
    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false );

    https://wordpress.org/plugins/download-monitor/

  2. mdmower
    Member
    Posted 6 months ago #

    Err, that was a little misleading, you don't actually "set" HttpOnly to false, but rather omitting the last boolean defaults it to false. So basically, it would be great if you could tack on another argument to setcookie for the set_httponly field:

    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false, true );

  3. mdmower
    Member
    Posted 1 month ago #

    Closing this comment thread. Instead, track pull request 206 to see whether this is implemented or not.

  4. Barry Kooij
    Member
    Plugin Author

    Posted 1 month ago #

    Thanks, will have a look at this soon!

Reply

You must log in to post.

About this Plugin

About this Topic

Tags