[wp-trac] Re: [WordPress Trac] #7001: Admin SSL Support

WordPress Trac wp-trac at lists.automattic.com
Fri Jun 27 21:11:25 GMT 2008


#7001: Admin SSL Support
---------------------+------------------------------------------------------
 Reporter:  ryan     |        Owner:  anonymous
     Type:  defect   |       Status:  new      
 Priority:  normal   |    Milestone:  2.6      
Component:  General  |      Version:           
 Severity:  normal   |   Resolution:           
 Keywords:           |  
---------------------+------------------------------------------------------
Comment (by ryan):

 So, 2.6 has two cookies.  "wordpress_logged_in" is a read-only cookie that
 is delivered for all pages.  It indicates that the user is logged in and
 allows looking at some of that's users private data.  is_user_logged_in()
 checks this cookie. "wordpress" is a read/write cookie that is delivered
 only for wp-admin/.  It has the power to make changes. auth_redirect()
 checks this cookie. Since it is only delivered for wp-admin/, files in the
 plugins directory that directly load admin.php will not be authorized.
 This is a back compat break, which sucks, but it also prevents attacks
 that mess around with files in the plugins directory from getting at the
 auth cookie.  If direct loading admin.php from the plugins directory is a
 common practice, I guess we'll have to set an auth cookie for the plugins
 directory.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7001#comment:15>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list