[wp-hackers] Wordpress Cookie Authentication Vulnerability
Otto
otto at ottodestruct.com
Wed Nov 21 03:34:08 GMT 2007
Great! Now that you like the idea, let me shoot it down. :)
This approach prevents "staying logged in" on multiple computers. I
login from work and home. I leave my cookie on both, and have no
issues. With this approach, I have to login every time, since the BRS
keeps changing. Can true session ID's solve this?
Longer term answer: Why are we building this logic ourselves anyway?
This seems like it should be a solved problem. Is there no PHP library
that will do this for us?
-Otto
On 11/20/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> > Is there any reason in particular WP is using MD5 as opposed to a
> > stronger algorithm?
>
> Yes, because WordPress still supports PHP 4.2, which doesn't really have
> any good support for a stronger algorithm.
>
> But as mentioned in the Trac ticket. MD5 isn't the issue here. The issue
> is that we have a guessable cookie, based on read-only database access or
> non-ssl network sniffing.
>
> I think Otto gave a nice overview of a possible solution. Which can
> optionally be enhanced by linking login cookies to ip-adresses to further
> minimize the chances of cookie stealing. (Mark the optional, because it
> can have unwanted side-effects in some network setups)
>
> Regards,
> Bas Bosman (Nazgul)
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list