Cookie without HttpOnly

The articles referenced in the post are ambiguous deliberately because the information of the response headers depends on the technology used to power the website, each programming language and technology stack has its own way to do this.

In this case you mentioned a website that was built on top of WordPress which is powered by PHP, so you can add the “HttpOnly” flag to the cookies using either the “setcookie” or “setrawcookie” functions, or you can achieve the same result adding headers manually like this:

setcookie(
    $name,    // Name of the cookie.
    $value,   // Value of the cookie.
    $expire,  // Time the cookie expires in Unix timestamp.
    $path,    // Path on the server in which the cookie will be.
    $domain,  // The domain that the cookie is available to.
    $secure,  // Transmitted only over a secure HTTPS connection.
    $httponly // Make accessible only through the HTTP protocol.
);
setrawcookie( [same parameter as setcookie] );
header( 'Set-Cookie: name=value; HttpOnly' );

It is worth to mentioned that SiteCheck, which is the scanner that powers the Malware Scan page available in the plugin, will displays the warning if at least one cookie (in case that there are more than one) is missing the “HttpOnly” flag. For instance, the website mentioned above has two cookies (at the moment) and only one of them is secured.

Reference: How do you set up use HttpOnly cookies in PHP

Thank you Yoman, and may I ask does this go into the wp-config.php, htacess, functions.php, plugables.php, or where?

Shawn

The best location for the manipulation of the headers is the first file that is being called when the website is being loaded, in this case it would be the main “index.php” file, but it is not recommended to edit WordPress core files so I would say that you can add the cookie flag in the main file of your current theme.

Try adding these three lines [1] at the beginning of the “index.php” file located here [3], if that does not works or the file does not exists then try to add these three lines [2] in the main “.htaccess” file [4], and if that does not works then I would ask your hosting provider to help you with that, they must know that server where your website is being hosted better than you and me.

[1] First option for index.php file.
@ini_set('session.cookie_httponly', 'On');
@ini_set('session.cookie_secure', 'On');
@ini_set('session.use_only_cookies', 'On');

[2] Second option for .htaccess file.
php_flag session.cookie_httponly On
php_flag session.cookie_secure On
php_flag session.use_only_cookies On

[3] https://tomblubaugh.net/wp-content/themes/striking_r/index.php
[4] https://tomblubaugh.net/.htaccess

Thank you Yoman,

Inserting the code in the index.php file did not remove the warning from the Sucuri Malware Scan.

Adding the code in the .htaccess returned a 501 error when refreshing website. I then wrapped the code

<IfModule php5_module>
php_flag session.cookie_httponly on
php_flag session.cookie_secure On
php_flag session.use_only_cookies On
</IfModule>

and the 501 error went away; however, I have to wait at least 20 mins to clear the malware scan cache before running it again.

Just FYI, I had already added the if statements to the .htaccess file but with only the one line for httponly.

Thank you for all the help. Item warning is still there. I will get with my server host.

Yes, that is better, they usually give better support considering that they are the ones managing the servers. I can only provide ambiguous information because I do not know much about the configuration of the site or its server.

By the way, you do not need to wait ~20 minutes to run a new malware scan, you can run a new/fresh scan every time you want as long as you reset the cache that the plugin generates. Go to the “Scanner Settings” and you will find there an option that says “Reset SiteCheck Logs” click that button and the “Malware Scan” will be reset immediately.

Thanks so much, Yorman, for all your help on this. The last tidbit about resetting the sitecheck logs is a lifesaver!

I’ve spent hours trying to figure this out, and I’ve learned a lot. I changed my php.ini file, and I’ve also added @ini_set('session.cookie_httponly', 'On'); to wp-config.php. That correctly enables that setting in PHP, which I can confirm with ini_get('session.cookie_httponly');.

However, that does not eliminate the error. As it turns out, any plugin that tries calling session_start() will also cause this error to come up. This is happening in three of my plugins: WordPress Social Login, Paid Memberships Pro, and WC Vendors.

It is possible to eliminate the error by calling session_start() in the plugin with the init action, like so:

function wsl_start_session() {
    if ( ! session_id() ) {
        @session_start();
    }
}
add_action( 'init', 'wsl_start_session', 1 );

However, I have not confirmed that the cookies function properly under this setting. My question is: is this actually the plugin’s fault, or is it a problem with Sucuri’s check? It’s worth noting that a plugin consisting only of:

if ( ! session_id() ) {
    @session_start();
}

will throw the error, so it’s unrelated to the other contents of those plugins.