Make WordPress Core

Opened 8 weeks ago

#61322 new feature request

HTTPOnly attribute for WP Test Cookies

Reported by: earthman100's profile earthman100 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 6.5.3
Component: Security Keywords:
Focuses: coding-standards Cc:

Description

This code does not set the HTTPOnly attribute for the test cookies.

They continue to be flagged in automated security scans of our sites.

Is there any reason for not setting these, or providing a hook to allow user control of the attributes?

wp-login.php

<?php


// Set a cookie now to see if they are supported by the browser.
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );

if ( SITECOOKIEPATH !== COOKIEPATH ) {
        setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
}

if ( isset( $_GET['wp_lang'] ) ) {
        setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
}


Suggested modification (or add a hook for the final attribute):

<?php


// Set a cookie now to see if they are supported by the browser.
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );

if ( SITECOOKIEPATH !== COOKIEPATH ) {
        setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure, true );
}

if ( isset( $_GET['wp_lang'] ) ) {
        setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );
}


Change History (0)

Note: See TracTickets for help on using tickets.