Adding "HttpOnly" and "Secure" cookie flags on Nginx & PHP

Question

I have Nginx running with PHP and WordPress. Acunetix recommends setting these flags, but they provide no documentation. I have looked around a bit, but I have not seen anything that shows exactly how to implement this. I have this module: http://wiki.nginx.org/HttpHeadersMoreModule on Nginx if that would help. Any information on how to set these flags? Thanks.

As requested here the cookie sample

Cookie: __cfduid=d3-shortened-08; cf_use_ob=0; wordpress_logged_in_6dfda-shortened-e3e82d5; __utma=21-shortened-436.19; __utmc=21519150; __utmz=2119150.1396063475.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmct‌r=(not%20provided); testing=1; sid=a14-shortened-384; sessiontest=1; wp-settings-2=editor%3Dhtml%26wplink%3D0%26uploader%3D1%26mfold%3Do%26ed_size%3D‌677%26libraryContent%3Dbrowse%26urlbutton%3Dfile; wp-settings-time-2=139745167; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a9-shortened-d2a7=DrDinosaur%7C1397980-shortened-2f9

Can you include how the relevant cookies are currently set? Are these cookies set by wordpress? — Håkan Lindqvist, Apr 19 '14 at 12:25
Here's what I get in Fiddler: Cookie: __cfduid=d3-shortened-08; cf_use_ob=0; wordpress_logged_in_6dfda-shortened-e3e82d5; __utma=21-shortened-436.19; __utmc=21519150; __utmz=2119150.1396063475.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); testing=1; sid=a14-shortened-384; sessiontest=1; wp-settings-2=editor%3Dhtml%26wplink%3D0%26uploader%3D1%26mfold%3Do%26ed_size%3D677%26libraryContent%3Dbrowse%26urlbutton%3Dfile; wp-settings-time-2=139745167; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a9-shortened-d2a7=DrDinosaur%7C1397980-shortened-2f9 — DrDinosaur, Apr 19 '14 at 13:11

score 5 · Answer 1 · answered Apr 19 '14 at 12:49

5

Edit your php.ini and set session.cookie_httponly and session.cookie_secure or use setcookie in your application.

answered Apr 19 '14 at 12:49

HTTP500

4,827
4
22
31

Hmm. I added "1" to the end of those options to turn them on, but Acunetix is still giving the same message saying they are not enabled. – DrDinosaur Apr 19 '14 at 13:02
1

This affects only PHP cookies related to PHP sessions. Wordpress uses other cookies, so this setting has no effect on those. – Tero Kilkanen Apr 20 '14 at 00:46

score 1 · Answer 2 · answered Apr 20 '14 at 00:46

The cookies are set in PHP code, and nginx is just relaying the information it receives from PHP to the site visitor.

You might be able to modify the headers with nginx-headers-more module, but you could also make new problems with that approach.

A safer way is to patch WP's Cookie setting code to enable setting of cookies with httponly and secure -features.

I don't know if there are any preferred methods of enabling those in WP, or if you just need to hack the actual cookie setting code.

Do you think I should ask in the WordPress section to see if they know? — DrDinosaur, Apr 21 '14 at 03:54

score 1 · Answer 3 · answered Apr 04 '17 at 12:13

1

To confirm on this: __cfduid is a cookie provided by Cloudflare and does not hold any sensitive data. You can also not alter it to have a secure flag either.

answered Apr 04 '17 at 12:13

Ryank

111
1

score 0 · Answer 4 · answered Mar 17 '17 at 10:41

0

Try to use nginx_cookie_flag_module. It will solve your issue.

answered Mar 17 '17 at 10:41

Airis

1

Adding "HttpOnly" and "Secure" cookie flags on Nginx & PHP

4 Answers4