WordPress.org

Support

Support » Plugins and Hacks » Download Monitor » [Resolved] HttpOnly cookie

[Resolved] HttpOnly cookie

  • Is there a reason why you set the HttpOnly flag to false in the wp_dlm_downloading cookie? General practice is to set HttpOnly=true to avoid XSS vulnerabilities.

    In includes/class-dlm-download-handler.php:
    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false );

    https://wordpress.org/plugins/download-monitor/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Err, that was a little misleading, you don’t actually “set” HttpOnly to false, but rather omitting the last boolean defaults it to false. So basically, it would be great if you could tack on another argument to setcookie for the set_httponly field:

    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false, true );

    Closing this comment thread. Instead, track pull request 206 to see whether this is implemented or not.

    Plugin Author Barry Kooij

    @barrykooij

    Thanks, will have a look at this soon!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Resolved] HttpOnly cookie’ is closed to new replies.
Skip to toolbar