Cookies are sent via https, but not marked as secure | ww.wp.xz.cn

Resolved tech007
(@tech007)

6 years, 3 months ago

This plugin set cookies with the flag “$secure = FALSE” with both http/https. It would be nice to have it programmable. Thank you for your plugin and support.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author gioni
(@gioni)

6 years, 3 months ago

Programmable how? What’s the reason?

Thread Starter tech007
(@tech007)

6 years, 3 months ago

Best practice. While secure cookies can be overwritten too (https://tools.ietf.org/html/rfc6265#section-4.1.2.5) and wp-cerber may not store confidential info, our application requires high security standard; this may be seen as a flaw when detected by third party web tests.

Plugin Author gioni
(@gioni)

6 years, 3 months ago

That’s a reasonable argument. First of all, Cerber doesn’t use cookies to store any sensitive data from the first day of its existence and will never do that: https://wpcerber.com/browser-cookies-set-by-wp-cerber/
Secondly, before setting cookies with the security flag on, we need to ensure that a website has a valid SSL certificate in place. It’s important because many websites don’t use SSL yet. Anyway, it will be implemented this year. Stay tuned.

Plugin Author gioni
(@gioni)

6 years ago

Implemented in the last version: https://wpcerber.com/wp-cerber-security-8-6-5/

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Cookies are sent via https, but not marked as secure’ is closed to new replies.

4 replies
2 participants
Last reply from: gioni
Last activity: 6 years ago
Status: resolved