MediaWiki Cookie / https / onion settings

A few settings have been hardened for better security…

https website version and onion website version:

Now using HttpOnly.

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

Manual:$wgCookieHttpOnly - MediaWiki

$wgCookieHttpOnly = true;

https website version and onion website version:

Now using SameSite setting SameSite=Strict.

Manual:$wgCookieSameSite - MediaWiki

$wgCookieSameSite = "Strict";

https website version:

Now using Manual:$wgForceHTTPS - MediaWiki

$wgForceHTTPS = true;

but that shouldn’t make a difference.

https website version:

Now using SecureCookieAttribute.

browsers which support the secure attribute will only send cookies with the secure attribute when the request is going to an HTTPS page.

Manual:$wgCookieSecure - MediaWiki

$wgCookieSecure = true;

…these settings have a chance of breaking logins on either the https and/or onion version of the wiki.

⚓ T325229 add option to set cookies hostOnly property

This has the disadvantage when following a link from a different domain name (such as from a search engine to or from to that the user appears to be logged out. Even in case the user is already logged in. When going to the URL bar and pressing enter, the user will appear logged-in. (Of course only if the user was previously logged in.)

This is not a bug. This is to be expected when setting cookies to SameSite=Strict as per browser defaults.

While not a bug, this can certainly be confusing. Other SameSite settings could be investigated.

⚓ T325663 Audit use of cookies #2