WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#28427 closed enhancement (fixed)

All cookies should be secure when `home` and `siteurl` use HTTPS

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.0 Priority: low
Severity: minor Version:
Component: Security Keywords: has-patch needs-testing
Focuses: Cc:

Description

In the situation where a site is only served over SSL (ie. the home and siteurl options use the HTTPS scheme) then all cookies should have the secure flag set.

Currently the secure flag isn't set on the test cookie and the settings cookies in this situation.

Somewhat related: #28426.

Attachments (3)

28427.diff (3.7 KB) - added by johnbillion 5 years ago.
28427.2.diff (3.4 KB) - added by johnbillion 5 years ago.
28427.patch (2.7 KB) - added by ocean90 5 years ago.

Download all attachments as: .zip

Change History (10)

#1 @johnbillion
5 years ago

Also applies to the comment_author and comment_author_email cookies.

#2 @nacin
5 years ago

  • Milestone changed from Awaiting Review to 4.0

@johnbillion
5 years ago

#3 @johnbillion
5 years ago

  • Keywords has-patch needs-testing added

28427.diff tackles this. Note that it relies on my patch for is_https() on #28487.

The patch sets the 'secure' flag on...

  • The test cookie if both home_url() and site_url() are https.
  • The settings cookies if site_url() is https.
  • The post password cookie if home_url() is https.
  • The comment author cookies if the comment post permalink is https.

I'm in two minds about the comment author cookies. It could just check for https on home_url() rather than the current comment post permalink.

#4 @johnbillion
5 years ago

  • Priority changed from normal to low

@johnbillion
5 years ago

#5 @johnbillion
5 years ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 28895:

Conditionally set the the secure flag on the test cookie, post password cookie, settings cookies, and comment author cookies depending on whether the front end and/or admin area are served over https. Fixes #28427

This ticket was mentioned in IRC in #wordpress-dev by johnbillion. View the logs.


5 years ago

@ocean90
5 years ago

#7 @ocean90
5 years ago

In 29311:

Replace is_https_url() with 'https' === parse_url( $url, PHP_URL_SCHEME ).

see #28427, #28487.

Note: See TracTickets for help on using tickets.