[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 9 03:06:44 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by ryan):

 Replying to [comment:38 westi]:
 > Replying to [comment:37 ryan]:
 > > Any objections?  I'll commit this soon so testers can have a look at
 it.  We can tweak it from there.
 > I am not completely happy that the new cookie scheme doesn't handle the
 issue whereby someone with read access to the database can generate a
 valid cookie - in general users are not going to update the SECRET define
 and so won't benefit from it.

 We could incorporate your session key stuff into the currently unused data
 field of the cookie.  Store a random key in the cookie and store the hash
 of that key in the DB.  But, that brings us back to allowing only one
 session at at time and requiring a DB write for every successful login

 > What are the timeouts on the cookies it looks like 2 days or 14 days if
 I do my maths right - would we not do better with a shorter expiry time
 and resetting the cookie on every admin page access with a new expiry.

 Wouldn't that allow replaying an old cookie to get a new cookie with a
 fresh expiry?

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:39>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list