WP Security Question

I have SSL installed and activated. All works fine. What plugins are you talking about?

Apart from having SSL enabled and forcing SSL logins, what are other ways to avoid cookie hijacking or even securing cookies completely?

In php.ini you’ll need to set the following:

session.cookie_httponly = 1

Attackers will often exploit Cross Site Scripting (XSS) flaws in web applications to inject JavaScript into pages, which could be used to steal session cookies. By setting the php.ini directive: you restrict JavaScript from accessing your cookies. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).

session.cookie_secure = On

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4. See also session_get_cookie_params() and session_set_cookie_params().

session.referer_check = your_url.tld

Where your_url.tld could be:

example.com

session.referer_check = example.com

Another small security feature is allowing PHP to check HTTP referer values
so that session information is only passed internally while a user is viewing an application.
This prevents users from accidentally publishing session information in a way that would allow external users to follow links and steal a session.
This is especially useful if session information is being passed in a URL that could accidentally be published to a mailing list or web site.

You maybe also interested in Session Fixation.

This is where an attacker explicitly sets the session identifier of a session for a user. Typically in PHP it’s done by giving them a url like https://www.example.com/index…?session_name=sessionid. Once the attacker gives the url to the client, the attack is the same as a session hijacking attack.

There are a few ways to prevent session fixation (do all of them):

* Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers. Defaults to 0 (disabled).

* Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP to never use URLs with session identifiers. Defaults to 1 (enabled) since PHP 5.3.0.

session.use_trans_sid = 0
session.use_only_cookies = 1

**NOTE** These are not just WordPress specific, but can be applied to other web apps written in PHP.

Thank you @woocommerce and @mickeyroush for your help. @mickeyroush, but we’re talking WP specific security here.

How does WP handle cookies when SSL if forced ?

Are they vulnerable to session hi-jacking even when SSL is forced ?

@mickeyroush, but we’re talking WP specific security here.

I assumed that’s what you were implying. Thus my response.

great @MickeyRouch. I’ll see what my admins have in place and work on strenghthening session security as you’ve directed. Thanks. Let me know if there’s more info out there.

@mayank908 Do not report topics unless they’re spam or abuse.