Add cookie flags "HttpOnly", "secure" for beťťer security on https sites

EasyEngine / feature-requests

A repo to track all feature requests on EasyEngine project using issue tracker.

5 stars 2 forks source link

Add cookie flags "HttpOnly", "secure" for beťťer security on https sites #58

Open jasomdotnet opened 6 years ago

jasomdotnet commented 6 years ago

All my Wordpress EE sites has Let's encrypt SSL cert. So I set in

nano /etc/php/7.0/fpm/php.ini

following:

...
session.cookie_httponly = 1
session.cookie_secure = 1
...

then

sudo service php7.0-fpm restart

I suggest to add flags HttpOnly and secure for better PHP security when site uses LE cert.

You can specify it on server block level when nginx is compiled with nginx_cookie_flag_module.

rahul286 commented 6 years ago

@jasomdotnet sorry for a delayed reply. Does this work without Nginx's nginx_cookie_flag_module flag module?

@mbtamuli Does OpenResty comes with nginx_cookie_flag_module?

freedog96150 commented 3 years ago

@jasomdotnet and @rahul286 I am trying to get these to work on my EEv4 sites. Can we verify the above DOES or DOES NOT work? It is not working for me, but could be other settings as well. I would love to upvote this as I keep failing my PCI-DSS scans for these various XSS and Cookie issues.