Title: Cookie changes Last modified: February 13, 2020 --- # Cookie changes * [siparker](https://wordpress.org/support/users/siparker/) * (@siparker) * [6 years, 3 months ago](https://wordpress.org/support/topic/cookie-changes/) * Hi, * I am having a bit of a security sweep and one of the online pen test tools reports that there are some cookies that have issues. * They both appear to be from the multi step forms plugin. * Set-Cookie: cf7msm_check Set-Cookie: PHPSESSID * they both need to have Httponly flag [http://www.owasp.org/index.php/HttpOnly](http://www.owasp.org/index.php/HttpOnly) and they do not have a secure flag. [http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)](http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)) * Also these cookies look to be set on every page of the site even when it is a 404 error. Is it possible to edit the code so these are only added when on a page with a multi step form? Viewing 1 replies (of 1 total) * Plugin Author [webheadcoder](https://wordpress.org/support/users/webheadllc/) * (@webheadllc) * [6 years, 3 months ago](https://wordpress.org/support/topic/cookie-changes/#post-12449251) * Unfortunately the cf7msm_check cookie needs to be set before the first step is submitted. And the only way to know if a form is on a page is after the headers are sent which is after the time PHP can set the cookie. * Short answer: no, this cookie needs to be set on every page as the plugin is right now. * Long answer: I’ll be adding a filter so PHP sessions and the cf7msm_check cookie are not needed unless explicitly enabled. I’ll need to find some time to do it though. So probably at least a couple weeks out. * If you need to edit the code, just remember you may need to reapply your edits after the next update. I may have to put up a quick fix and it may not have the updates to the cf7msm_check cookie. Also, edit at your own risk. * It is possible to edit the code. You can replace the setcookie line to enable Httponly flag. * In the cf7msm.php file, in cf7msm_init_sessions() function, replace: `setcookie(' cf7msm_check', 1, 0, COOKIEPATH, COOKIE_DOMAIN);` with: `setcookie('cf7msm_check', 1, 0, COOKIEPATH, COOKIE_DOMAIN, false, true);` * also replace this in the same function to get rid of the php session cookie: * `if (!session_id()) {` * with this: * `if ($force_session && !session_id()) {` Viewing 1 replies (of 1 total) The topic ‘Cookie changes’ is closed to new replies. * ![](https://ps.w.org/contact-form-7-multi-step-module/assets/icon-256x256.png? rev=1793363) * [Contact Form 7 Multi-Step Forms](https://wordpress.org/plugins/contact-form-7-multi-step-module/) * [Frequently Asked Questions](https://wordpress.org/plugins/contact-form-7-multi-step-module/#faq) * [Support Threads](https://wordpress.org/support/plugin/contact-form-7-multi-step-module/) * [Active Topics](https://wordpress.org/support/plugin/contact-form-7-multi-step-module/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/contact-form-7-multi-step-module/unresolved/) * [Reviews](https://wordpress.org/support/plugin/contact-form-7-multi-step-module/reviews/) * 1 reply * 2 participants * Last reply from: [webheadcoder](https://wordpress.org/support/users/webheadllc/) * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/cookie-changes/#post-12449251) * Status: not resolved