WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#34159 closed defect (bug) (fixed)

Tweak the secure cookie flag logic for some cookies

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.4 Priority: low
Severity: minor Version: 4.0
Component: Security Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

The URLs that are used when determining whether to set the secure flag on the user settings cookies and the test cookie aren't always appropriate.

  1. If a site's home and siteurl URLs use http but FORCE_SSL_ADMIN is used, then the secure flag won't be set on user settings cookies. Ref. This should use admin_url() instead.
  2. If a site's home URL uses http but the login form uses https then the secure flag won't be set on the test cookie. Ref. This should use wp_login_url() instead.

Introduced in #28427

Related: #29641

Attachments (1)

34159.diff (1.3 KB) - added by johnbillion 6 years ago.

Download all attachments as: .zip

Change History (4)

#1 @johnbillion
6 years ago

  • Owner set to johnbillion
  • Status changed from new to accepted

@johnbillion
6 years ago

#2 @johnbillion
6 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Just needs a sanity check.

#3 @johnbillion
6 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 34931:

Correctly set the secure flag for the test cookie based on the login URL scheme, and the same for the user settings cookies based on the admin URL scheme.

Fixes #34159

Note: See TracTickets for help on using tickets.