How to fix insecure cookie on WooCommerce

Steps for WooCommerce

1. Go to WordPress Admin → Plugins → Add New and install the 'Really Simple SSL' plugin (free) or 'Sucuri Security'; these plugins enforce Secure and SameSite cookie flags site-wide via PHP filters.
2. Alternatively, open your theme's functions.php (Appearance → Theme File Editor → functions.php) or a site-specific plugin and add: `add_filter('session_cookie_params', function($params){ $params['secure'] = true; $params['httponly'] = true; $params['samesite'] = 'Strict'; return $params; });`
3. For WooCommerce's own session cookie (wp_woocommerce_session_*), it is set by WooCommerce core. Update WooCommerce to the latest version (Dashboard → Updates) to get current security flags.
4. For WordPress auth cookies (wordpress_logged_in_*, wordpress_sec_*): add `@ini_set('session.cookie_httponly', 1);` and `@ini_set('session.cookie_secure', 1);` to wp-config.php.
5. Verify via browser DevTools → Application → Cookies that all wp_ and woocommerce_ cookies show HttpOnly ✓, Secure ✓, and SameSite = Strict/Lax.

Set-Cookie: CSRFTOKEN=abc123; Path=/; Secure; HttpOnly; SameSite=Strict

What is insecure cookie?

Every time a visitor lands on your store, their browser receives small data files called cookies — one of which typically holds their login session or a CSRF token (a secret code that proves form submissions came from your real site, not an attacker). Each cookie can carry protective "flags" that tell the browser how to handle it safely. The three critical flags are: **HttpOnly** (JavaScript running on the page cannot read the cookie, so a hacked ad script cannot steal it), **Secure** (the browser only sends the cookie over HTTPS, never plain HTTP), and **SameSite=Strict** (the browser refuses to send the cookie when a request originates from a third-party site, blocking cross-site request forgery attacks). When any of these flags are missing, the cookie is left partially unprotected.

A missing HttpOnly flag is the primary enabler of session-hijacking via Cross-Site Scripting (XSS): if even one ad, chat widget, or third-party script on your page is ever compromised, it can silently read your customers' session cookies and hand them to an attacker, who then logs in as that customer and sees their orders, saved addresses, and payment methods. A missing Secure flag risks cookies being transmitted in plain text if a customer ever hits an HTTP link, exposing their session to network eavesdroppers (especially on public Wi-Fi). A missing SameSite flag enables Cross-Site Request Forgery (CSRF), where a malicious page tricks a logged-in customer's browser into submitting unwanted actions — like changing their email or placing a fraudulent order — on your store. Beyond customer harm, a breach involving stolen session tokens can trigger PCI-DSS violations, GDPR fines, and lasting reputational damage that directly kills revenue.

See the complete Insecure cookie guide for every platform and the full background.