Make WordPress Core

Changes between Version 3 and Version 4 of Ticket #52639, comment 11


Ignore:
Timestamp:
08/24/2024 12:25:19 AM (5 months ago)
Author:
azaozz
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #52639, comment 11

    v3 v4  
    11May be missing something but looking at the screenshots with the "insecure" cookies, all are `expires=Tue, 25-Feb-2020 ...` however this ticket was opened on 02/24/2021, one year later. So unless the screenshots were made exactly one year earlier these all seem to be attempts to delete cookies if they exist, not to set or retrieve them?
    22
    3 Seems these "false positive" results are caused by the attempts to delete old WP auth cookies in `wp_clear_auth_cookie()`, see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1121. Or it may be how the testing software works, seems it may be looking at the HTTP headers as well as JS. But I'm unsure what is proven by these "delete a cookie" calls?
     3As far as I see these "false positive" results are caused by the attempts to delete old WP auth cookies in `wp_clear_auth_cookie()`, see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1121. Seems the testing software catches these calls and misinterprets them as attempts to set cookies.
    44
    55Testing in WP 6.6.1 (current release) and trunk/6.7-alpha I don't seem to be able to access any of the mentioned cookies from JS. The only cookie that is accessible is `wordpress_test_cookie=WP%20Cookie%20check;`. As explained by @TimothyBlynJacobs above it is designed to work that way and that is not a security concern. All other cookies seem to be properly set to secure, HttpOnly, etc. see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1092.