[wp-hackers] login / security
ayj & j
yllyn at clear.net.nz
Fri Jul 30 11:25:15 UTC 2004
My understanding is that traditional htaccess relies on browser supplied
referrer and / or cookie data and is not robust in the slightest. You can
(and many people do) download browsers that walk straight through it. AFAIK
really solid authentification security requires
1: effective authentification
2: server side tracking following authentification
3: additional checks eg IP collection, and statistical protection techniques
I don't claim personally to be anything like an expert and I may be quite
wrong on this - if so I am happy to learn from it. But I have done some
investigation of the issues with someone that definitely is an expert.
I would add that IMO the potential security risks associated with the edit
capability of the php script makes security something that cannot be lightly
passed over.
Andrew
----- Original Message -----
From: "Brian Meidell" <brian at mindflow.dk>
To: <hackers at wordpress.org>
Sent: Friday, July 30, 2004 8:08 PM
Subject: Re: [wp-hackers] For those who don't subscribe to the wp docs
mailinglist:
>
> > Are you aware just how many people are having problems logging in ?
>
> This is probably a discussion you've had before, so a link to the thread
> would suffice as an answer, but here goes:
>
> Why doesn't WP use http authentication (either using PHP headers or
> using .htaccess files) as the default access control mechanism and only
> fall back on the current auth method if all else fails?
> .htaccess is certainly robust in my experience.
>
> /Brian
>
>
>
>
>
> _______________________________________________
> hackers mailing list
> hackers at wordpress.org
> http://wordpress.org/mailman/listinfo/hackers_wordpress.org
More information about the hackers
mailing list