[wp-hackers] Wordpress Cookie Authentication Vulnerability

Travis Snoozy ai2097 at users.sourceforge.net
Wed Nov 21 04:21:02 GMT 2007


On Tue, 20 Nov 2007 21:34:08 -0600, Otto <otto at ottodestruct.com> wrote:

> Great! Now that you like the idea, let me shoot it down. :)
> 
> This approach prevents "staying logged in" on multiple computers. I
> login from work and home. I leave my cookie on both, and have no
> issues. With this approach, I have to login every time, since the BRS
> keeps changing. Can true session ID's solve this?

Some administrators would find it to be wholly inappropriate to permit
permanent login, while others would find it absolutely necessary for
them to consider the product usable. Solution? Abstract it, and allow
for either to be implemented. WordPress already does this.

A plugin can totally bypass the login sequence for WordPress, and
replace the logic with something "better" (by whatever standard that's
judged by). I've done this, using my own personal super-favorite login
tracking method (PHP sessions), and it works great. No more secrets in
the cookie, problem solved -- for me, anyway; sessions time out, so
permanent logins are a no-go. ;)

> Longer term answer: Why are we building this logic ourselves anyway?
> This seems like it should be a solved problem. Is there no PHP library
> that will do this for us?

Some of us asked a question that leads down a very similar path[1]. Be
sure and let us know if you find an already-existing solution.


-- 
Travis 

In Series maintainer
Random coder & quality guy
<http://remstate.com/>

[1] http://awnist.com/wiki/Main_Page


More information about the wp-hackers mailing list