Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#28427 closed enhancement (fixed)

All cookies should be secure when `home` and `siteurl` use HTTPS

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.0 Priority: low
Severity: minor Version:
Component: Security Keywords: has-patch needs-testing
Focuses: Cc:


In the situation where a site is only served over SSL (ie. the home and siteurl options use the HTTPS scheme) then all cookies should have the secure flag set.

Currently the secure flag isn't set on the test cookie and the settings cookies in this situation.

Somewhat related: #28426.

Attachments (3)

28427.diff (3.7 KB) - added by johnbillion 10 years ago.
28427.2.diff (3.4 KB) - added by johnbillion 10 years ago.
28427.patch (2.7 KB) - added by ocean90 10 years ago.

Download all attachments as: .zip

Change History (10)

#1 @johnbillion
10 years ago

Also applies to the comment_author and comment_author_email cookies.

#2 @nacin
10 years ago

  • Milestone changed from Awaiting Review to 4.0

10 years ago

#3 @johnbillion
10 years ago

  • Keywords has-patch needs-testing added

28427.diff tackles this. Note that it relies on my patch for is_https() on #28487.

The patch sets the 'secure' flag on...

  • The test cookie if both home_url() and site_url() are https.
  • The settings cookies if site_url() is https.
  • The post password cookie if home_url() is https.
  • The comment author cookies if the comment post permalink is https.

I'm in two minds about the comment author cookies. It could just check for https on home_url() rather than the current comment post permalink.

#4 @johnbillion
10 years ago

  • Priority changed from normal to low

10 years ago

#5 @johnbillion
10 years ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 28895:

Conditionally set the the secure flag on the test cookie, post password cookie, settings cookies, and comment author cookies depending on whether the front end and/or admin area are served over https. Fixes #28427

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.

10 years ago

10 years ago

#7 @ocean90
10 years ago

In 29311:

Replace is_https_url() with 'https' === parse_url( $url, PHP_URL_SCHEME ).

see #28427, #28487.

Note: See TracTickets for help on using tickets.