[wp-hackers] New secure cookie protocol in trunk
Ryan Boren
ryan at boren.nu
Sun Dec 16 18:00:00 GMT 2007
(Cross-posted to hackers and testers)
A new cookie protocol has landed in trunk. This protocol is based on
the one described here:
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
The cookie is laid out like so:
user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key
sk, the secret key, consists of a random string saved to the options
table in a "secret" field and a user definable secret key specified
in wp-config.php with the SECRET_KEY define. If SECRET_KEY is not
defined, the DB connect info is used to construct SECRET_KEY. Cookies
can be mass-expired by changing SECRET_KEY or "secret" in the options
table.
This protocol requires the hash_hmac() function. This function is
available only in php 5.1.2 and later, so we added a php
implementation of it to compat.php. If you are using PHP versions <
5.1.2, let us know if you have any troubles with regard to
hash_hmac().
The cookie design is still being discussed, so expect some more
changes. You can join the ongoing design discussion here:
http://trac.wordpress.org/ticket/5367#comment:29
More information about the wp-hackers
mailing list