[wp-trac] Re: [WordPress Trac] #9752: conflict: cookies with security features (auth, secure_auth, logged_in, nonce keys)

WordPress Trac wp-trac at lists.automattic.com
Sat May 9 11:45:39 GMT 2009 

#9752: conflict: cookies with security features (auth, secure_auth, logged_in,
nonce keys)
----------------------------+-----------------------------------------------
 Reporter:  norwat          |       Owner:  anonymous                                                  
     Type:  defect (bug)    |      Status:  new                                                        
 Priority:  normal          |   Milestone:  2.8                                                        
Component:  Administration  |     Version:  2.7.1                                                      
 Severity:  major           |    Keywords:  needs-patch dev-feedback reporter-feedback security cookies
----------------------------+-----------------------------------------------

Comment(by hakre):

 Norwat, I was able to delete the User with the UserID 1. I tested that
 with the current 2.8 trunk version before making the suggestion.

 The information stored with the browser is stored in the cookies. When I
 perform a typical login with my new Admin user I get the following cookies
 (leaving Remember Me unchecked):

 Name: wordpress_test_cookie[[BR]]
 Content: WP+Cookie+check[[BR]]
 Note: This is a cookie to test wether or not your Browser accepts Cookies

 Name: wordpress_a0be5ceeffc28c7caa836f171da9c323[[BR]]
 Content: Admin2%7C1242040204%7C4ab0fdcd8c4582ef39f6bf446ceadfa6[[BR]]
 Path: /wordpress-trunk/wp-content/plugins[[BR]]
 Note: I have no infos about this cookie. It is related to the Account Name
 ('Admin2' in this case). a0be5ceeffc28c7caa836f171da9c323 is the so called
 COOKIEHASH which is md5(get_option('siteurl')).

 Name: wordpress_a0be5ceeffc28c7caa836f171da9c323[[BR]]
 Content: Admin2%7C1242040204%7C4ab0fdcd8c4582ef39f6bf446ceadfa6[[BR]]
 Path: /wordpress-trunk/wp-admin[[BR]]
 Note: Same as above only with a different path.

 Name: wordpress_logged_in_a0be5ceeffc28c7caa836f171da9c323[[BR]]
 Content: Admin2%7C1242040204%7C8167f7683d14a5e2237358d63b2baa6a[[BR]]
 Path: /wordpress-trunk/[[BR]]
 Note: I have no infos about this cookie. It is related to the Account
 Name.

 Name: wp-settings-2[[BR]]
 Content:
 m0%3Dc%26m1%3Dc%26m2%3Dc%26m3%3Dc%26m4%3Dc%26m5%3Do%26m6%3Dc%26m7%3Dc%26m8%3Dc[[BR]]
 Path: /wordpress-trunk/[[BR]]
 Note: User Settings. This is bound to the UserID (2 in this case). This is
 mostly for Screen Options (Number of Rows displayed, which columns to
 display) in the Backend. It is not bound to a specific wordpress
 Installation only by the path. That is 'wordpress-trunk' in my case.

 Name: wp-settings-time-2[[BR]]
 Content: 1241867405[[BR]]
 Path: /wordpress-trunk/[[BR]]
 Note: Another user Setting, unknown to me which one. Bound to the UserID
 again.

 This setup is using the default configuration keys:
 {{{
 define('AUTH_KEY', 'put your unique phrase here');
 define('SECURE_AUTH_KEY', 'put your unique phrase here');
 define('LOGGED_IN_KEY', 'put your unique phrase here');
 define('NONCE_KEY', 'put your unique phrase here');
 }}}

 This is the cookies array viewed from the Server Side in PHP (path:
 /wordpress-trunk/wp-admin/):
 {{{
 array
   'wordpress_a0be5ceeffc28c7caa836f171da9c323' => string
 'Admin2|1242040204|4ab0fdcd8c4582ef39f6bf446ceadfa6' (length=50)
   'wordpress_test_cookie' => string 'WP Cookie check' (length=15)
   'wordpress_logged_in_a0be5ceeffc28c7caa836f171da9c323' => string
 'Admin2|1242040204|8167f7683d14a5e2237358d63b2baa6a' (length=50)
   'wp-settings-2' => string 'm0=c&m1=c&m2=c&m3=c&m4=c&m5=o&m6=c&m7=c&m8=c'
 (length=44)
   'wp-settings-time-2' => string '1241867405' (length=10)
 }}}

 As far as I can see there is no duplicate use of cookies between two
 wordpress installations on the same server. Because of set Pathes for the
 cookies this should not happen.

 There is some cookie stored information that is not aware of the current
 host/path the wordpress blog is published under and it is auth related:
 wp_parse_auth_cookie().

 What I'm missing is the PHP Session Cookie. I can't find it. But it looks
 anyway that way that PHP Session Management is not used at all. To check
 this I disabled it on the fly and everything still works.

 To analyze further I suggest you name the siteurls of the two blogs sothat
 it is easier to gain a better picutre.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/9752#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list