Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpOnly for Server-side Cookies #7240

Closed
wants to merge 3 commits into from
Closed

HttpOnly for Server-side Cookies #7240

wants to merge 3 commits into from

Conversation

Kevinlearynet
Copy link

@Kevinlearynet Kevinlearynet commented Aug 26, 2024
edited
Loading

When running WordPress at government regulated and/or security focused organizations security audits routinely flag issues with PHP creating cookies without the HttpOnly argument set to true.

While this can't be done for cookies that are used by JavaScript, it can be safely enabled for server-side only cookies set within wp-login.php:

  • TEST_COOKIE
  • wp-postpass_{HASH}

I've tested this on the latest WordPress trunk with a server stack that mirrors Kinsta and WPEngine. This stack passes 100% of Site Health checks, and is running on the following:

Darwin 23.6.0 x86_64
nginx/1.25.5
PHP 8.3.7 (support 64bit values)
Zend OPcache v8.3.7
mysql 8.3.0 / mysqlnd 8.3.7
8.7.1 (SecureTransport) OpenSSL/3.3.0

Originally reported by earthman100

Trac ticket: https://core.trac.wordpress.org/ticket/61322

@Kevinlearynet
HttpOnly flags added to setcookie() for TEST_COOKIE and `wp-postpas…
f192996 
…s_{HASH}`, both of which are not referenced by JS
@github-actions GitHub Actions
Copy link

Hi @Kevinlearynet! 👋

Thank you for your contribution to WordPress! 💖

It looks like this is your first pull request to wordpress-develop. Here are a few things to be aware of that may help you out!

No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description.

Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making.

More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook.

Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook.

If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook.

The Developer Hub also documents the various coding standards that are followed:

Thank you,
The WordPress Project

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 26, 2024
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props kevinlearynet, johnbillion.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@Kevinlearynet Kevinlearynet changed the title HttpOnly flags added to setcookie() for TEST_COOKIE and `wp-postpas… HttpOnly for Cookies: TEST_COOKIE & wp-postpass_* Aug 26, 2024
@Kevinlearynet Kevinlearynet changed the title HttpOnly for Cookies: TEST_COOKIE & wp-postpass_* Set HttpOnly for Server-side Only Cookies Aug 26, 2024
@Kevinlearynet Kevinlearynet changed the title Set HttpOnly for Server-side Only Cookies HttpOnly for Server-side Only Cookies Aug 26, 2024
@Kevinlearynet Kevinlearynet changed the title HttpOnly for Server-side Only Cookies HttpOnly for Server-side Cookies Aug 26, 2024
@Kevinlearynet Kevinlearynet changed the title HttpOnly for Server-side Cookies HttpOnly for Server-side Cookies Aug 26, 2024
@github-actions GitHub Actions
Copy link

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@Kevinlearynet
Copy link
Author

Are these test actions reliable?

I re-triggered tests with a --no-commit that changed nothing, and I see completely different results?

  1. First test run shows 10 errors with specific PHP versions and MySQL/MariaDB combinations
  2. First test run shows 7 entirely different errors related to SCRIPT_DEBUG and applications-passwords.test.js

@johnbillion
Copy link
Member

Not sure what was up with those performance tests but I merged the trunk branch into this and they seem pretty stable again.

johnbillion
johnbillion requested changes Jan 21, 2025
View reviewed changes
src/wp-login.php
@@ -791,7 +791,7 @@ function wp_login_viewport_meta() {
$secure = false;
}

setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );
setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure, true );
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I support setting the test cookie and wp_lang cookie to HttpOnly, but I don't think it's safe to do it for the post password cookie. There's too high an opportunity for it to break either JavaScript that reads the value of the cookie, or Ajax handlers in PHP that read the value of the cookie, both of which would no longer be able to do so.

Let's revert this change but keep the other changes.

@github-actions GitHub Actions
Copy link

A commit was made that fixes the Trac ticket referenced in the description of this pull request.

SVN changeset: 59671
GitHub commit: 2adec31

This PR will be closed, but please confirm the accuracy of this and reopen if there is more work to be done.

@github-actions github-actions bot closed this Jan 21, 2025
@Kevinlearynet
Copy link
Author

@johnbillion

Thanks! Glad the unit tests work on trunk w/o issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnbillion johnbillion johnbillion requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Kevinlearynet @johnbillion