[wp-hackers] Rethinking check_admin_referer()

Matt Mullenweg m at mullenweg.com
Wed Apr 19 21:21:24 GMT 2006


David Chait wrote:
> And, sorry to jump backwards in the conversation to another thread point, 
> but I know someone mentioned the 'overhead' of actually writing temporary 
> hash codes, Nonces, whatever into the DB (with a timestamp... I did this 
> with a session-based custom PHP app, makes it a bit more secure, especially 
> with the last-visited IP ;).)  But we're talking administration commands 
> with effects here.  Just admins.  The overhead of reading/writing hashes, 
> when/where needed (even if it's every action/submit), for administration 
> should be negligible compared to the hits of hundreds, or thousands of users 
> (or more) per day.  Right?

We tried something like this on WP.com, there are weird proxies that 
change IP on every request, primarily from Asia it seemed. It was comon 
enough that we took that check out.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com


More information about the wp-hackers mailing list