[Waiting for user confirmation] Missing HttpOnly flag in Cookie
This is the technical support forum for WPML - the multilingual WordPress plugin.
Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.
Our wait time is higher than usual, please make sure you are meeting the minimum requirement - https://wpml.org/home/minimum-requirements before you report issues, and if you can take a look at current Known Issues - https://wpml.org/known-issues/. Thank you.
Background of the issue:
I am trying to address security issues identified in a security report for my site hidden link. The report indicates that the HttpOnly flag is missing in the cookie definition, which allows cookies to be accessed and sent via JavaScript. Additionally, a session cookie is not marked as secure, even though it is transmitted over HTTPS.
Symptoms:
The HttpOnly flag is missing in the cookie definition, and a session cookie is not marked as secure.
Languages: English (English )Spanish (Español )German (Deutsch )
Timezone: America/Lima (GMT-05:00)
Hello,
You should always set the HttpOnly flag on cookies that contain sensitive information, such as session identifiers or user credentials, to mitigate the risk of Cross-Site Scripting (XSS) attacks, where attackers could steal cookies using client-side scripts.
The WPML cookies do not store any sensitive information. It only stores the language code.
Further, a language code (like "en" for English or "es" for Spanish) is not a session identifier. Session identifiers are unique codes used to track a user's activity on a website or application during a specific period of time, whereas language codes simply indicate the language of the content.
