[wp-trac] [WordPress Trac] #20276: Tie nonces to the current session
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 21 20:32:28 UTC 2012
#20276: Tie nonces to the current session
-------------------------+-----------------------------
Reporter: ryan | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------------
Changes (by nacin):
* type: defect (bug) => enhancement
Comment:
I imagine we can take a piece of the auth cookie and include it in the
hash. We'll need to include an identifier at a consistent location in the
nonce in order to make note of which cookie was used, as we are going to
want to leverage the SSL cookie if possible, other times we may need to
use the logged_in cookie (say, the logout nonce).
If we generate a nonce in the backend with an admin cookie, but try to use
the nonce on the frontend, the nonce will fail. So perhaps we need to
stick to logged_in cookie for now.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20276#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list