This thread is resolved. Here is a description of the problem and solution.
Problem:
The client is concerned about the security of the WPML plugin because the HttpOnly flag is missing in the cookie definition for 'wp-wpml_current_language'. This issue has been raised due to security report requirements, despite the cookie not containing sensitive information.
Solution:
We have investigated the behavior of the 'wp-wpml_current_language' cookie and found that:
- For logged-in users, the cookie is set via PHP and can support the HttpOnly flag.
- For non-logged-in users, the cookie is set via JavaScript to ensure correct language settings on cached websites, making the HttpOnly flag inapplicable as it would prevent JavaScript access and disrupt functionality.
Security measures currently in place include:
- SameSite=Lax to protect against CSRF attacks.
- The cookie has a short lifespan of 1 day.
- It only stores the language code, containing no personal or sensitive information.
This design is necessary to balance functionality and security, especially for non-logged-in users on cached websites.
If this solution does not resolve your issue or seems outdated, we recommend checking related known issues at https://wpml.org/known-issues/, verifying the version of the permanent fix, and confirming that you have installed the latest versions of themes and plugins. If further assistance is needed, please feel free to open a new support ticket at WPML support forum.
This is the technical support forum for WPML - the multilingual WordPress plugin.
Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.
This topic contains 1 replies, has 0 voices.
Last updated by 12 months ago.
Assisted by: Shekhar Bhandari.
 |
 WPML Supporter since 03/2015 Languages: English (English ) Timezone: Asia/Kathmandu (GMT+05:45) |
