Support » Plugin: Download Monitor » HttpOnly cookie

  • Resolved mdmower


    Is there a reason why you set the HttpOnly flag to false in the wp_dlm_downloading cookie? General practice is to set HttpOnly=true to avoid XSS vulnerabilities.

    In includes/class-dlm-download-handler.php:
    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false );

Viewing 3 replies - 1 through 3 (of 3 total)
  • Err, that was a little misleading, you don’t actually “set” HttpOnly to false, but rather omitting the last boolean defaults it to false. So basically, it would be great if you could tack on another argument to setcookie for the set_httponly field:

    setcookie( 'wp_dlm_downloading', $download->id, time()+60, COOKIEPATH, COOKIE_DOMAIN, false, true );

    Closing this comment thread. Instead, track pull request 206 to see whether this is implemented or not.

    Plugin Author Barry Kooij


    Thanks, will have a look at this soon!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘HttpOnly cookie’ is closed to new replies.