Download Monitor
[resolved] HttpOnly cookie (4 posts)

  1. mdmower
    Posted 1 year ago #

    Is there a reason why you set the HttpOnly flag to false in the wp_dlm_downloading cookie? General practice is to set HttpOnly=true to avoid XSS vulnerabilities.

    In includes/class-dlm-download-handler.php:
    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false );


  2. mdmower
    Posted 1 year ago #

    Err, that was a little misleading, you don't actually "set" HttpOnly to false, but rather omitting the last boolean defaults it to false. So basically, it would be great if you could tack on another argument to setcookie for the set_httponly field:

    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false, true );

  3. mdmower
    Posted 1 year ago #

    Closing this comment thread. Instead, track pull request 206 to see whether this is implemented or not.

  4. Barry Kooij
    Plugin Author

    Posted 1 year ago #

    Thanks, will have a look at this soon!

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Download Monitor
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic