Changes between Version 3 and Version 4 of Ticket #52639, comment 11
- Timestamp:
- 08/24/2024 12:25:19 AM (5 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #52639, comment 11
v3 v4 1 1 May be missing something but looking at the screenshots with the "insecure" cookies, all are `expires=Tue, 25-Feb-2020 ...` however this ticket was opened on 02/24/2021, one year later. So unless the screenshots were made exactly one year earlier these all seem to be attempts to delete cookies if they exist, not to set or retrieve them? 2 2 3 Seems these "false positive" results are caused by the attempts to delete old WP auth cookies in `wp_clear_auth_cookie()`, see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1121. Or it may be how the testing software works, seems it may be looking at the HTTP headers as well as JS. But I'm unsure what is proven by these "delete a cookie" calls? 3 As far as I see these "false positive" results are caused by the attempts to delete old WP auth cookies in `wp_clear_auth_cookie()`, see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1121. Seems the testing software catches these calls and misinterprets them as attempts to set cookies. 4 4 5 5 Testing in WP 6.6.1 (current release) and trunk/6.7-alpha I don't seem to be able to access any of the mentioned cookies from JS. The only cookie that is accessible is `wordpress_test_cookie=WP%20Cookie%20check;`. As explained by @TimothyBlynJacobs above it is designed to work that way and that is not a security concern. All other cookies seem to be properly set to secure, HttpOnly, etc. see https://core.trac.wordpress.org/browser/tags/6.6.1/src/wp-includes/pluggable.php#L1092.