[wp-trac] Re: [WordPress Trac] #7001: Admin SSL Support
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 27 21:11:25 GMT 2008
#7001: Admin SSL Support
---------------------+------------------------------------------------------
Reporter: ryan | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.6
Component: General | Version:
Severity: normal | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment (by ryan):
So, 2.6 has two cookies. "wordpress_logged_in" is a read-only cookie that
is delivered for all pages. It indicates that the user is logged in and
allows looking at some of that's users private data. is_user_logged_in()
checks this cookie. "wordpress" is a read/write cookie that is delivered
only for wp-admin/. It has the power to make changes. auth_redirect()
checks this cookie. Since it is only delivered for wp-admin/, files in the
plugins directory that directly load admin.php will not be authorized.
This is a back compat break, which sucks, but it also prevents attacks
that mess around with files in the plugins directory from getting at the
auth cookie. If direct loading admin.php from the plugins directory is a
common practice, I guess we'll have to set an auth cookie for the plugins
directory.
--
Ticket URL: <http://trac.wordpress.org/ticket/7001#comment:15>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list