[wp-trac] [WordPress Trac] #8212: generate/validate_auth_cookie
doesn't always check scheme
WordPress Trac
wp-trac at lists.automattic.com
Fri Nov 14 11:16:06 GMT 2008
#8212: generate/validate_auth_cookie doesn't always check scheme
------------------------+---------------------------------------------------
Reporter: tellyworth | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.8
Component: General | Version:
Severity: normal | Keywords:
------------------------+---------------------------------------------------
When using wp_generate_auth_cookie() and wp_validate_auth_cookie() with
one of the standard auth schemes (auth, secure_auth, logged_in), the
cookie will correctly fail to validate if the wrong scheme is used:
{{{
$cookie = wp_generate_auth_cookie(1, time() + 3600,
'auth');
$this->assertEquals( 1, wp_validate_auth_cookie($cookie,
'auth') ); // pass
$cookie = wp_generate_auth_cookie(1, time() + 3600,
'auth');
$this->assertEquals( false,
wp_validate_auth_cookie($cookie, 'logged_in') ); // pass
}}}
However this is not the case when arbitrary auth schemes are used. The
cookie will validate even if the scheme is incorrect.
{{{
$cookie = wp_generate_auth_cookie(1, time() - 3600,
'foo');
$this->assertEquals( false,
wp_validate_auth_cookie($cookie, 'bar') ); // this should fail, but
doesn't
}}}
The reason the built-in schemes work as expected is that they each use a
unique salt. Arbitrary schemes all use the same salt (see wp_salt()).
NB: I don't believe this is a core security issue, but fixing it could
prevent future problems.
--
Ticket URL: <http://trac.wordpress.org/ticket/8212>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list