Adding "HttpOnly" and "Secure" cookie flags on Nginx & PHP
I have Nginx running with PHP and WordPress. Acunetix recommends setting these flags, but they provide no documentation. I have looked around a bit, but I have not seen anything that shows exactly how to implement this. I have this module: http://wiki.nginx.org/HttpHeadersMoreModule on Nginx if that would help. Any information on how to set these flags? Thanks.
As requested here the cookie sample
Cookie: __cfduid=d3-shortened-08; cf_use_ob=0; wordpress_logged_in_6dfda-shortened-e3e82d5; __utma=21-shortened-436.19; __utmc=21519150; __utmz=2119150.1396063475.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); testing=1; sid=a14-shortened-384; sessiontest=1; wp-settings-2=editor%3Dhtml%26wplink%3D0%26uploader%3D1%26mfold%3Do%26ed_size%3D677%26libraryContent%3Dbrowse%26urlbutton%3Dfile; wp-settings-time-2=139745167; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a9-shortened-d2a7=DrDinosaur%7C1397980-shortened-2f9
Edit your php.ini and set session.cookie_httponly and session.cookie_secure or use setcookie in your application.
The cookies are set in PHP code, and nginx is just relaying the information it receives from PHP to the site visitor.
You might be able to modify the headers with nginx-headers-more module, but you could also make new problems with that approach.
A safer way is to patch WP's Cookie setting code to enable setting of cookies with httponly and secure -features.
I don't know if there are any preferred methods of enabling those in WP, or if you just need to hack the actual cookie setting code.
To confirm on this: __cfduid is a cookie provided by Cloudflare and does not hold any sensitive data. You can also not alter it to have a secure flag either.