[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Mon Apr 17 14:46:20 GMT 2006


On 4/17/06, John Joseph Bachir <jjb at ibiblio.org> wrote:
> Right now the tokens are being managed with a php session, but they could
> also be put into the database if y'all don't like using sessions (as an
> aside, why is authentication done directly with cookies instead of with
> sessions?)

Protecting session ids is a chore, they're sent back and forth on each
request, and anybody who manages to steal one now has full access as a
user. The only way sessions can be more secure than cookies is if its
all done over SSL, something that is not an option for the everday
blog

--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list