[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 1 14:28:19 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
There are roughly two approaches to dealing with this problem.
Sessions involves a record being kept of each login session, which PHP
already has existing infrastructure for this. The down side is that there
is a database write for each login, and the size of the session table
scales with the number of active sessions. Alternatively there can be a
restriction of one session per user, as in westi's patch.
An alternative is to use something along the lines of the
[http://lists.grok.org.uk/pipermail/full-
disclosure/2007-November/058611.html papers] I mentioned earlier. This
supports multiple sessions per user, with no need to store extra state.
Database writes are only needed on changing the password.
A variant of this is to store the hash post-image of a cookie in the
database, which means someone with read access to the database can't
generate a valid cookie. The down side of this approach is that some
fairly subtle cryptography is needed. I think it's possible to do with
MD5, but will need some thought.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:21>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list