[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 6 12:51:07 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
Replying to [comment:33 ryan]:
> Publishing a post to find that your cookie expired while you were
composing will be an annoyance. Any way around that with this cookie
protocol?
How about having two expiry times, a soft one and a hard one. If a user is
doing most actions, they will be asked to re-login after the soft expiry.
However, if they are composing, they will not be kicked out until the hard
expiry. The difference between the soft and hard expiry times is the
window where they can safely compose a post.
The two times could be explicitly included in a cookie. Alternatively the
hard one could be included and the user asked to renew if they're close.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:34>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list