Opened 8 years ago
Closed 8 years ago
#36785 closed feature request (wontfix)
Filter for httponly cookie
| Reported by: |
IAmJulianAcosta
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.5.2 |
| Component: | Login and Registration | Keywords: | |
| Focuses: | Cc: |
Description
Sometimes is necessary to send auth cookies without httponly, so I'm proposing a filter to modify this behavior with an action:
plugabble.php
$http_only = true;
$http_only = apply_filters ('http_only_auth_cookie', $http_only);
setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, $http_only);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);
if ( COOKIEPATH != SITECOOKIEPATH )
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, $http_only);
functions.php
function disable_http_only_cookie ($http_only) {
return false;
}
add_filter( 'http_only_auth_cookie', 'disable_http_only_cookie' );
I know that this could represent a security issue, but I'm pretty sure that any developer modifying this, is pretty sure about what is doing.
Change History (5)
#1
follow-up:
↓ 2
@
8 years ago
- Summary changed from Filter for httponly cookie. to Filter for httponly cookie
#2
in reply to:
↑ 1
@
8 years ago
Hi! I'm talking about specific case when you have to read auth cookie in a web app that uses WordPress users and auth cookie from WordPress for its own auth. I have this particular case, and would be nice if we have an option to modify it. I don't se why would be people that change this setting for no reason.
Replying to swissspidy:
Hey there,
Welcome to trac and thanks for creating this ticket!
Sometimes is necessary to send auth cookies without httponly
Can you tell us about specific use cases where this is absolutely necessary and cannot be circumvented by using a separate cookie?
I know that this could represent a security issue
It does, that's why
httponlywas added on purpose in #7677.
I'm pretty sure that any developer modifying this, is pretty sure about what is doing.
Never be too sure about this, really. There will always be people that would change this for no reason, or seem to be sure about it and forget to deactivate it on their production site.
#4
@
8 years ago
- Keywords close added
I see no reason why the auth cookies should be made available in this manner, it's just adding the ability for a developer to shoot themselves in the foot with a vulnerability.
If JS needs to know the logged in user, it should use it's own cookie or variable which is set through wp_localize_script() or similar, making available the full auth cookie is just asking for a bad time.
#5
@
8 years ago
- Keywords 2nd-opinion close removed
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
Agreed; if you need these in your JS, use a different cookie.
I'm also concerned that allowing this ability would allow plugins, themes, etc to set this without the user's knowledge and downgrade their security. It feels like the wrong way to solve this. :)
Hey there,
Welcome to trac and thanks for creating this ticket!
Can you tell us about specific use cases where this is absolutely necessary and cannot be circumvented by using a separate cookie?
It does, that's why
httponlywas added on purpose in #7677.Never be too sure about this, really. There will always be people that would change this for no reason, or seem to be sure about it and forget to deactivate it on their production site.