[wp-trac] [WordPress Trac] #19599: Localizations should not need to worry about the default secret key
WordPress Trac
wp-trac at lists.automattic.com
Thu May 24 07:42:39 UTC 2012
#19599: Localizations should not need to worry about the default secret key
----------------------------+-----------------------
Reporter: nacin | Owner: nacin
Type: task (blessed) | Status: reopened
Priority: high | Milestone: 3.4
Component: I18N | Version: 3.4
Severity: blocker | Resolution:
Keywords: has-patch |
----------------------------+-----------------------
Comment (by markjaquith):
Having the update-initiating user get kicked out during the update process
is unacceptable. Terrible user experience. That's the blocker. Less of a
blocker, but still annoying, is that other site users will get their
cookies invalidated.
Proposal: for 3.4, we continue to accept login cookies salted with the old
default constant salts, and upgrade them to the new cookie with the db-
driven salts on the fly. Then, for 3.5, we stop accepting the old default
constant salts. This puts off the security-enhancing benefit, but will
result in a better user experience, as only people who haven't logged in
to WP since 3.3 will get the boot in 3.5.
Thoughts?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19599#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list