[wp-hackers] Rethinking check_admin_referer()

Geoff Johnson thunderlove at gmail.com
Mon Apr 17 21:55:53 GMT 2006


I'm wondering if there is any need for a key/PID...  What if a random value
was used each time, and saved as an admin cookie?

A unique id could be generated each time an admin page is viewed, and
embedded in the link.

<pre>
<?php

$cval = md5( rand() . time() . microtime() );
setcookie( 'testCookie', $cval );

if( !isset( $_REQUEST['passkey'] ) ) {
?>
        <a href="/test.php?passkey=<?php echo $cval; ?>">test it!</a>
<?php
} else if ( $_COOKIE['testCookie'] === $_REQUEST['passkey'] ) {
?>
        <h3>Access Granted</h3>
<?php
} else {
?>
        <h3>Access Denied</h3>
<?php
}
?>
</pre>


More information about the wp-hackers mailing list