[wp-trac] [WordPress Trac] #22705: Admin cookies set to wrong path for main blog in a WP-in-subdir-sites-on-root install that uses subdomains

WordPress Trac noreply at wordpress.org
Mon Dec 3 23:32:17 UTC 2012


#22705: Admin cookies set to wrong path for main blog in a WP-in-subdir-sites-on-
root install that uses subdomains
-------------------------------------+------------------
 Reporter:  markjaquith              |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  high                     |   Milestone:  3.5
Component:  Administration           |     Version:
 Severity:  blocker                  |  Resolution:
 Keywords:  has-patch needs-testing  |
-------------------------------------+------------------

Comment (by nacin):

 The security concern is that we like to keep the admin cookies limited to
 wp-admin only. This means a vulnerability via the front-end of the site
 wouldn't necessarily result in any serious compromise.

 But, we already relax those rules for subdirectory installs, so we're
 going to need to do it for this specific case of subdomain installs as
 well, for now. When we bring multiple-domain support into core, with that
 we'll need to do cross-site logins, which would mean we can again go back
 to having properly sequestered admin cookies for all types of sites.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22705#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list