If your server API is some CGI then the settings you’ve mentioned above should be stored in your user-ini.filename
session.cookie_httponly = on
session.cookie_secure = on
session.cookie_samesite = "Lax"
otherwise in your .htaccess file:
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
php_value session.cookie_samesite Lax
So, I guess you’re using some CGI SAPI.
Hi Dimitar
Thank you for your quick reply.
I needed the 2nd one as I am using the .htaccess file.
I have added it in and saved the file.
The website results I need help with: https://observatory.mozilla.org/analyze/friendsofllandyfeisantchurch.org
When I run Observatory by Mozilla and under Test Scores, it says ‘Session cookie set without using the HttpOnly flag’. I thought by adding the lines above would have set it up correctly using HttpOnly.
Looking at the Cookies further down, PHPSESSID is not Secure or HttpOnly, also cf7mm_check is not Secure or HttpOnly either.
So I don’t understand with what’s going on or even if it has gone wrong somewhere. I did manage to add `Header set set-cookie path=/;secure;HttpOnly;samesite=lax and that shows up in the results.
How can we fix PHPSESSID and cf7mm_check to be secure and HttpOnly?
Morris
Hi Dimitar
I found this piece of code on this website (https://www.tunetheweb.com/security/http-security-headers/secure-cookies/) that I added to the .htaccess file:
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
And it worked, the Observatory Results now gives me a Tick. When I check the Cookies section of the report both HttpOnly and Secure is ticked.
Test Scores now read: All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag.
Maybe you could add that line into your plugin….
Morris
Hi Dimitar
You can also add samesite=lax or strict like below:
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure;samesite=lax"
Morris
Hi @morris373
Definitely I will consider your suggestion on very next release.
Thanks
Set cookie security is not functioning for me either.
Not sure what do do with the code above or where to put it.
How would I write a line to go in the FilesMatch so that I get:
SameSite=None Secure
I tried several combinations and it just won’t write it to my .htaccess file
e.g.
Header set Cookie-Security “SameSite=None; ‘secure'”
I’m trying to solve this:
A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute.
cookies with cross-site requests require SameSite=None and Secure.
I have the same issue too. Even the httponly and secure is set, it doesn’t set the cookie with HttpOnly and Secure.
It seems to be working now after adding the following line ‘Header set Set-Cookie HttpOnly;Secure’ right before # END WordPress in .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
Header set Set-Cookie HttpOnly;Secure
# END WordPress
# BEGIN HttpHeaders
# The directives (lines) between "BEGIN HttpHeaders" and "END HttpHeaders" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
<FilesMatch "\.(php|html)$">
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1"
Header set Pragma "no-cache"
Header set Cache-Control "must-revalidate, no-cache, no-store"
</FilesMatch>
</IfModule>
# BEGIN HttpHeadersCookieSecurity
# The directives (lines) between "BEGIN HttpHeadersCookieSecurity" and "END HttpHeadersCookieSecurity" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
# END HttpHeadersCookieSecurity
