[wp-trac] [WordPress Trac] #20253: SSL login in custom port
WordPress Trac
wp-trac at lists.automattic.com
Sun Mar 18 14:56:27 UTC 2012
#20253: SSL login in custom port
---------------------------+------------------------------
Reporter: rseabra | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Template | Version:
Severity: normal | Resolution:
Keywords: has-patch ssl |
---------------------------+------------------------------
Comment (by Ipstenu):
> I don't see why it wouldn't work in a subdir, though, as it adds the
port before the path component of the url, if I understood the code
correctly.
Give it a shot and you may see. But remember to also test having WP in a
subdir but running out of root.
ex: Site URL: http://example.com & WordPress Address:
http://example.com/wordpress
Gotta hit your contingencies :)
(Part of why it's not a security ticket: SSL is an improvement to password
security, but leaves you open to other man-in-the-middle attacks.
Example: There's no originating-IP check, so if they get your cookie, they
can impersonate you without any more work to spoof IPs etc. Also there's
no session ID to mark a user as logged in, it's done with two cookies, so
while the password in the cookie is safely hashed, it's not 'enough' since
if I have that cookie, I can log in and ostensibly change the password.
SSL is already possible with WP, you're just putting a way to make it work
on a separate port, which is a very minor security improvement in the
grand scheme of things. A well useful one that I laud, but it's getting a
security chain on your door that already has a lock.)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20253#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list