[wp-hackers] Rethinking check_admin_referer()
Mark Jaquith
mark.wordpress at txfx.net
Tue Apr 18 11:49:18 GMT 2006
On Apr 18, 2006, at 7:18 AM, Owen Winkler wrote:
> It might also be possible to cause these keys to time out, so even
> if they were obtained once, there would be a limited opportunity to
> use them.
Certainly. Simply add some unit of time to the hash. The function
that checks the hash computes multiple hashes, starting with the
current value of the time unit, and then decrementing the time unit a
specified number of times until the timeout is reached. It could
even be more permissive for certain screens than others (pass another
variable to the function that checks). You can reduce the number of
hashes that need to be computed (so you don't have to compute the
hash for every minute, going back an hour) by adding the last unit of
time as floor($minutes/5) so that the time appears to jump from 12:00
to 12:05 to 12:10 which means you don't have to check all the
"inbetween" hashes.
--
Mark Jaquith
http://txfx.net/
More information about the wp-hackers
mailing list