Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth0_nonce and auth0_state cookies are set without the secure flag #872

Closed
phy9pas opened this issue Mar 14, 2023 · 1 comment
Closed

auth0_nonce and auth0_state cookies are set without the secure flag #872

phy9pas opened this issue Mar 14, 2023 · 1 comment

Comments

@phy9pas
Copy link

phy9pas commented Mar 14, 2023

When setting these state cookies, if the site is using https then it should set the secure flag to try when using setcookie.
This will ensure the cookie is only available over https.

This related to
WP_Auth0_Nonce_Handler.php
line 193
@evansims
Copy link
Member

Hi @phy9pas 👋 Thanks for your suggestion. This is not a viable option because we found many users run the plugin in non-TLS environments, and often in environments behind proxies that do not accurately inform PHP using environment variables that it should be considered running in HTTPS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evansims @phy9pas