Support » Everything else WordPress » why WP is not creating eachcookie with httponly option set as true?

  • We are building a platform to host some sites in WP but we found that some of the cookies not set as httponly as false. I would like to criteria / login why some of the cookies are not with httponly enbled.

    Our security team is not allowing to go forward with WP if this feature is disabled even if for a single cookie.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steve Stern

    (@sterndata)

    If you add these PHP options to wp-config.php, will things pass your audit?

    @ini_set('session.cookie_httponly', true);
    @ini_set('session.cookie_secure', true);
    @ini_set('session.use_only_cookies', true);

    There are some discussion of this on the core trac

    https://core.trac.wordpress.org/search?q=httponly

    Thanks,

    I have ready tried this solution but still WP is creating some cookie with httponly disabled. like WordPress_test_cookie and WP-settings-time-{$uid}

    As wp is simply using core php setcookie function to create cookie with no parameter after %secure which means it is taking default value (false) for httponly.

    setcookie( TEST_COOKIE, ‘WP Cookie check’, 0, COOKIEPATH, COOKIE_DOMAIN, $secure );

    But for some cookies WP is passing true for httponly. This is the confusion and the main issue. Why WP is not setting httponly as true for all cookies and how we can overcome with this issue.

    Moderator Steve Stern

    (@sterndata)

    The “Why” is explained in some of those trac tickets. Googling around, I found a solution via .htaccess

    https://gist.github.com/Zodiac1978/d25a8f3aebba7cd1c01c#file-htaccess-L82

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    The test cookie is set without the httponly flag because it is a test cookie. It contains no actual data, it’s only used to detect if cookies are disabled.

    The various authentication cookies that WordPress uses are httponly cookies. If you are using https, then they also have their secure flag set to true for the cookies in the wp-admin side of things.

    When clearing cookies, such as during a logout, the setcookie does not pass them as httponly, because those cookies contain no data. They are blanked out by setting them to have just a space in them.

    Other cookies WordPress uses do not contain private data and may need to be accessed by Javascript. For example, when leaving a comment, the three fields (name, email, url) are saved as cookies to make it easier to fill those fields in later. Some themes may need access to those via javascript if they do special things with the comment box.

    Some cookies such as the wp-settings cookie contain minor user preferences, such as which fields to show or hide by default on the post editing screen. These are user specific and also necessary for the javascript to access them to show or hide those fields.

    Essentially, httponly is used when it is appropriate, and not used when those cookies should not be httponly.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.