WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#36785 closed feature request (wontfix)

Filter for httponly cookie

Reported by: IAmJulianAcosta Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.5.2
Component: Login and Registration Keywords:
Focuses: Cc:

Description

Sometimes is necessary to send auth cookies without httponly, so I'm proposing a filter to modify this behavior with an action:

plugabble.php

        $http_only = true;
	$http_only = apply_filters ('http_only_auth_cookie', $http_only);

	setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
	setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
	setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);
	if ( COOKIEPATH != SITECOOKIEPATH )
		setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);

functions.php

function disable_http_only_cookie ($http_only) {
    return false;
}

add_filter( 'http_only_auth_cookie', 'disable_http_only_cookie' );

I know that this could represent a security issue, but I'm pretty sure that any developer modifying this, is pretty sure about what is doing.

Change History (5)

#1 follow-up: @swissspidy
4 years ago

  • Summary changed from Filter for httponly cookie. to Filter for httponly cookie

Hey there,

Welcome to trac and thanks for creating this ticket!

Sometimes is necessary to send auth cookies without httponly

Can you tell us about specific use cases where this is absolutely necessary and cannot be circumvented by using a separate cookie?

I know that this could represent a security issue

It does, that's why httponly was added on purpose in #7677.

I'm pretty sure that any developer modifying this, is pretty sure about what is doing.

Never be too sure about this, really. There will always be people that would change this for no reason, or seem to be sure about it and forget to deactivate it on their production site.

#2 in reply to: ↑ 1 @IAmJulianAcosta
4 years ago

Hi! I'm talking about specific case when you have to read auth cookie in a web app that uses WordPress users and auth cookie from WordPress for its own auth. I have this particular case, and would be nice if we have an option to modify it. I don't se why would be people that change this setting for no reason.

Replying to swissspidy:

Hey there,

Welcome to trac and thanks for creating this ticket!

Sometimes is necessary to send auth cookies without httponly

Can you tell us about specific use cases where this is absolutely necessary and cannot be circumvented by using a separate cookie?

I know that this could represent a security issue

It does, that's why httponly was added on purpose in #7677.

I'm pretty sure that any developer modifying this, is pretty sure about what is doing.

Never be too sure about this, really. There will always be people that would change this for no reason, or seem to be sure about it and forget to deactivate it on their production site.

#3 @swissspidy
4 years ago

  • Keywords 2nd-opinion added

#4 @dd32
4 years ago

  • Keywords close added

I see no reason why the auth cookies should be made available in this manner, it's just adding the ability for a developer to shoot themselves in the foot with a vulnerability.

If JS needs to know the logged in user, it should use it's own cookie or variable which is set through wp_localize_script() or similar, making available the full auth cookie is just asking for a bad time.

Last edited 4 years ago by dd32 (previous) (diff)

#5 @rmccue
4 years ago

  • Keywords 2nd-opinion close removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Agreed; if you need these in your JS, use a different cookie.

I'm also concerned that allowing this ability would allow plugins, themes, etc to set this without the user's knowledge and downgrade their security. It feels like the wrong way to solve this. :)

Note: See TracTickets for help on using tickets.