Skip to:

experimental security boost for bbPress 0.9 (HttpOnly)

  • _ck_


    HttpOnly cookies are a security advancement that is finally supported now by all major browsers (Firefox eventually got it right in 3.1, while IE 7 still has a bug but it generally works).

    HttpOnly means a cookie cannot be read by javascript in the browser, only by the server (via PHP, etc.) This practically stops XSS exploits and makes it much harder if not impossible in most cases.

    HttpOnly may “save your bacon” when a plugin has a security hole (like Private Messaging and bb-Reputation 0.0.5) and prevent a malicious script from forwarding your keymaster cookie to someone else via a XSS script.

    I manged to get them to include HttpOnly in WordPress 2.7 and bbPress 1.0 but it’s still not in older WordPress or bbPress 0.9 because they worried about backward compatibility with some WordPress plugins that try to directly read the cookie (bad technique) instead of using server-side helpers.

    However there are NO bbPress plugins that direct read the auth cookie and very few WordPress plugins still do this. I am not 100% positive how it will affect ajax but it shouldn’t because it’s still authorized on the server-side via PHP.

    So if you’d like to try out HttpOnly on your bbPress 0.9, here’s how, it’s as simple as a mini-plugin. Note that if you are already using a cookie replacement plugin like my “Freshly Baked Cookies” or “Year Long Cookies” you will need to edit them instead of using the following (you can only use one cookie replacement plugin at a time).

    I’d appreciate any feedback or experiences with this, especially if it causes problems:

    Save this as _HttpOnly.php and upload into your my-plugins/ directory:

    Plugin Name: HttpOnly Auth Cookie

    function wp_set_auth_cookie($user_id, $remember = false) {
    global $bb;

    if ( $remember ) {
    $expiration = $expire = time() + 1209600;
    } else {
    $expiration = time() + 172800;
    $expire = 0;

    $cookie = wp_generate_auth_cookie($user_id, $expiration);
    do_action('set_auth_cookie', $cookie, $expire);

    setcookie($bb->authcookie, $cookie, $expire, $bb->cookiepath, $bb->cookiedomain. '; HttpOnly' );
    if ( $bb->cookiepath != $bb->sitecookiepath )
    setcookie($bb->authcookie, $cookie, $expire, $bb->sitecookiepath, $bb->cookiedomain. '; HttpOnly' );

    To prove it’s working, you CANNOT use the Firefox webdeveloper plugin because that looks at the cookie in Firefox’s chrome, not at the user level. What you have to do is

    1. prove you can see your bbpress/wordpress cookie by typing or copying this to your browser address bar javascript:alert(document.cookie);

    2. install the plugin

    3. log out and then log in

    4. again type or copy this to your browser address bar javascript:alert(document.cookie);

    5. if it’s working, you should NOT see your wordpress/bbpress cookie in the alert

    Currently the only plugin I am aware of that tries to read the cookie directly in WordPress is the WP-UserOnline plugin from GamerZ, and he may have even fixed that by now in the newest versions. However there may be others, so test your setup.

  • You must be logged in to reply to this topic.
Skip to toolbar