Make WordPress Core

Context Navigation

Changes between Version 1 and Version 2 of Ticket #52639, comment 11

Timestamp:: 08/24/2024 12:01:49 AM (17 months ago)
Author:: azaozz
Comment:

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #52639, comment 11

v1	v2
1		May be missing something but looking at the screenshots with the "insecure" cookies, all are `expires=Tue, 25-Feb-2020 ...` however this ticket was opened on 02/24/2021, one year later. So unless the screenshots were made exactly one year earlier these all seem to be attempts to delete cookies if they exist, not to set or retrieve them? That may be how the testing software works, seems it may be looking at the HTTP headers as well as JS. But I'm unsure what is proven by these "delete a cookie" calls?
	1	May be missing something but looking at the screenshots with the "insecure" cookies, all are `expires=Tue, 25-Feb-2020 ...` however this ticket was opened on 02/24/2021, one year later. So unless the screenshots were made exactly one year earlier these all seem to be attempts to delete cookies if they exist, not to set or retrieve them?
	2
	3	Seems this may be caused by the attempt to delete the WP auth cookies in `wp_clear_auth_cookie()`, see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1121. Or it may be how the testing software works, seems it may be looking at the HTTP headers as well as JS. But I'm unsure what is proven by these "delete a cookie" calls?
2	4
3	5	Testing in WP 6.6.1 (current release) and trunk/6.7-alpha I don't seem to be able to access any of the mentioned cookies from JS. The only cookie that is accessible is `wordpress_test_cookie=WP%20Cookie%20check;`. As explained by @TimothyBlynJacobs above it is designed to work that way and that is not a security concern. All other cookies seem to be properly set to secure, HttpOnly, etc. see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1092.