anugrahjaya1

hi bcworkz thanks for answering my question, but I think I forgot to mention one thing. the wp_redirect_admin_location is using on action templte_redirect, and I am aware to not change any WordPress core code, so my plan is to recreate the wp_redirect_admin_location with a new name and make it redirect to the home page if a user tried to access /login, /wp-admin, /dashboard, admin, and registered to the same action hook

is that okay? Do you guys have any recommendations?

I did research and here the code for remove default allowed HTTP origins from WordPress

function remove_allowed_http_origins_defaults($allowed_origins)
{
    $allowed_origins = [];

    return $allowed_origins;
}

add_filter("allowed_http_origins", "remove_allowed_http_origins_defaults", 10, 1);

The background is want to know how flexible CORS is in WordPress, and regarding security as well. So will there be any issues if the code is implemented? and I also realized, using the same filter hook we can reset the allowed origin as needed.

On the top of the pluggable.php file, there are comments like this

/**
 * These functions can be replaced via plugins. If plugins do not redefine these
 * functions, then these will be used instead.
 *
 * @package WordPress
 */

And i override the function to set cookie from this syntax

setcookie(
    string $name,
    string $value = "",
    int $expires_or_options = 0,
    string $path = "",
    string $domain = "",
    bool $secure = false,
    bool $httponly = false
): bool

to this syntax (alternative signature), and the options array, i add “samesite=WP_SAMESITE_VALUE”

setcookie(string $name, string $value = "", array $options = []): bool

reference: https://www.php.net/manual/en/function.setcookie.php

or any suggestion that I can try? like use WordPress hook

• This reply was modified 5 months, 2 weeks ago by anugrahjaya1.

Is it okay to override “wp_set_auth_cookie” in /wp-includes/pluggable.php to implement SameSite?

if you have any recommendations on how to implement SameSite it would be very helpful (without any plugin)

Yes, I already checked the spelling. In php.ini is set into /tmp, but sometimes I can’t upload got the error “Missing a temporary folder.” I read some of the articles related to my issue and found the need to define WP_TEMP_DIR, so I defined to /wp-content/temp, also created the temp folder inside wp-content, but still nor working

is there any effect if i implement samesite=strict on WP using our SSO? or are you have any recommendation for samesite configuration?

im using SSO to login into WP, i did 3 cases with plugin that you recommended

• Strict -> can login but after login via SSO, its redirect to login page and need click SSO button to login
• None -> cant login via SSO
• Lax -> can login normally (SSO -> WordPress admin dashboard)

is it ok if i set samesite=Strict and login using SSO?

That plugin only affected wordpress_xxxx and wordpress_logged_in_xxxx right?

is there any other way to add SameSite=strict to session cookies WordPress?

Ok thanks everyone for your explanation, so this is false positive.

• This reply was modified 8 months, 1 week ago by anugrahjaya1.

So the tinymce.min.js especially for the code that i mentioned before not related to LDAP?

and can elaborate on this code also?

{var s,r,o=this,c=0,l=[],t=0,f=function(){return 0===t}

thanks

no, its happen if i put “id” in custom HTML

and this is the log
WARNING: [pool www] child 21218, script '/var/www/html/wp-admin/index.php' (request: "GET /wp-admin/index.php") executing too slow (10.278133 sec)

i also did on “stg” its working, but why on “prd” still got 504, do you know why?

im not sure if the root cause is from my custom theme because i did provide some WordPress websites with custom plugins as mu-plugins, all working normally, but in this case (with a little bit different custom plugins, and currently I disable all mu-plugins) I still get the cookie blocker, and also tried some related article but nothing solved this issue.

what config i can use in wp-config.php? i already enable wp_debug

i did some test, deactive plugins and change theme, i still get “Failed to load resource: /wp-json/wp/v2/posts/917?_locale=user:1 the server responded with a status of 504 ()”

to fix vulnerability libwebp only need to update package libwebp or better update php version? example from 8.2.3 to 8.2.11? which one better?