Title: Cookie security
Last modified: October 9, 2017

---

# Cookie security

 *  Resolved [janneke8incosi](https://wordpress.org/support/users/janneke8incosi/)
 * (@janneke8incosi)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/)
 * Hi!
    I’ve applied your wonderful plugin and it works great! But I have one question….
 * A security scan was done and the only problem was:
 * _Threat
    The session cookie does not contain the “secure” attribute Impact Session
   Cookies with “secure” attribute are only permitted to be sent via HTTPS. Session
   cookies sent via HTTP expose users to sniffing attacks that could lead to user
   impersonation or account compromise Solution Apply the “secure” attribute to 
   session cookies to ensure that they will be sent via HTTPS only.
 * At Cookie security I’ve checke “on” and “secure”, or did I had to check “HttpOnly”?
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fcookie-security-2%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/#post-9570701)
 * When `HttpOnly` option is checked the cookie will be made accessible only through
   the HTTP protocol. This means that the cookie won’t be accessible by scripting
   languages, such as **JavaScript**. It helps for reducing identity theft through**
   XSS** attacks.
 * The `Secure` option works only for cookies sent by the web server (like session
   cookies).
 * Your website has 4 cookies, all of them set by javascript (see below).
 * [https://static.incosi.com/wp-content/plugins/wf-cookie-consent/js/cookiechoices.js](https://static.incosi.com/wp-content/plugins/wf-cookie-consent/js/cookiechoices.js)
   
   _displayCookieConsent_
 * [https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js](https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js)
   _\
   _icl\_current\_language_
 * [https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/browser-redirect.js](https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/browser-redirect.js)
   
   _wpml\_browser\_redirect\_test_ _wpml\_browser\_redirect\_test_
 * To make them secure you must append the “; secure” string to the end.
 *  Thread Starter [janneke8incosi](https://wordpress.org/support/users/janneke8incosi/)
 * (@janneke8incosi)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/#post-9570722)
 * Thanks Dimitar!
    And how do I do that???? I’m a newbie in this field…… Janneke
 *  Plugin Author [Dimitar Ivanov](https://wordpress.org/support/users/zinoui/)
 * (@zinoui)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/#post-9570801)
 * You have to edit these files:
 * [https://static.incosi.com/wp-content/plugins/wf-cookie-consent/js/cookiechoices.js](https://static.incosi.com/wp-content/plugins/wf-cookie-consent/js/cookiechoices.js)
   
   Line: 178 `document.cookie = cookieName + '=y;path=/; expires=' + expiryDate.
   toGMTString() + '; secure';`
 * [https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js](https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js)
   
   Line: 5 `'path': cookieData.path, 'secure': true`
 * [https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/browser-redirect.js](https://static.incosi.com/wp-content/plugins/sitepress-multilingual-cms/res/js/browser-redirect.js)
   
   Line: 106 `domain: domain, secure: true`
 *  Thread Starter [janneke8incosi](https://wordpress.org/support/users/janneke8incosi/)
 * (@janneke8incosi)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/#post-9570977)
 * Found it, did it, thanks!!!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Cookie security’ is closed to new replies.

 * ![](https://ps.w.org/http-headers/assets/icon-128x128.png?rev=1413576)
 * [HTTP Headers](https://wordpress.org/plugins/http-headers/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/http-headers/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/http-headers/)
 * [Active Topics](https://wordpress.org/support/plugin/http-headers/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/http-headers/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/http-headers/reviews/)

## Tags

 * [cookie](https://wordpress.org/support/topic-tag/cookie/)
 * [xss](https://wordpress.org/support/topic-tag/xss/)

 * 4 replies
 * 2 participants
 * Last reply from: [janneke8incosi](https://wordpress.org/support/users/janneke8incosi/)
 * Last activity: [8 years, 8 months ago](https://wordpress.org/support/topic/cookie-security-2/#post-9570977)
 * Status: resolved