Hello,
I have a client who uses Symantec's site seal. They just forwarded the result of a site scan showing that some cookies on the site aren't secure. (can be sent via plain ole HTTP)
I dug in and noticed that Wordfence does not seem to be honoring secure cookies. My references below are from WF 5.2.7.
I found a function for setting cookies in the WF source:
public static function setcookie($name, $value, $expire, $path, $domain, $secure, $httpOnly){
if(version_compare(PHP_VERSION, '5.2.0') >= 0){
@setcookie($name, $value, $expire, $path, $domain, $secure, $httpOnly);
} else {
@setcookie($name, $value, $expire, $path);
}
}But then when I located that function elsewhere in the source, I was disappointed to see that a null value is being passed for the secure param.
In wordfenceClass.php at line 2441:
wfUtils::setcookie($cookieName, uniqid(), time() + 1800, '/', null, null, true);(I did some quick research into how WP handles secure cookies and stumbled upon wp_set_auth_cookie().)
Any advice you can offer would be appreciated - I want to make sure that the next scan comes up clean and don't want to have to disable WF!