Skip to content

Commit

Permalink
Security: Set the HttpOnly flag for the test cookie and the wp_lang
Browse files Browse the repository at this point in the history 
… cookie on the login screen.

These cookies are only accessed server-side and don't need to be exposed to JavaScript in the browser.

Props earthman100, kevinlearynet

Fixes #61322


git-svn-id: https://develop.svn.wordpress.org/trunk@59671 602fd350-edb4-49c9-b593-d223f7449a82
  • Loading branch information
@johnbillion
johnbillion committed Jan 21, 2025
1 parent 4b89ebe commit 2adec31
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/wp-login.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -528,14 +528,14 @@ function wp_login_viewport_meta() {

// Set a cookie now to see if they are supported by the browser.
$secure = ( 'https' === parse_url( wp_login_url(), PHP_URL_SCHEME ) );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );

if ( SITECOOKIEPATH !== COOKIEPATH ) {
setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure );
setcookie( TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN, $secure, true );
}

if ( isset( $_GET['wp_lang'] ) ) {
setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure );
setcookie( 'wp_lang', sanitize_text_field( $_GET['wp_lang'] ), 0, COOKIEPATH, COOKIE_DOMAIN, $secure, true );
}

/**
Expand Down

0 comments on commit 2adec31

Please sign in to comment.