[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions (was: Tie nonces to the current session)

WordPress Trac noreply at wordpress.org
Wed Aug 7 13:59:50 UTC 2013 

#20276: Tie nonces and cookies to expirable sessions
-------------------------+------------------
 Reporter:  ryan         |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  3.7
Component:  Security     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |
-------------------------+------------------
Changes (by duck_):

 * keywords:   => has-patch
 * milestone:  Future Release => 3.7


Comment:

 [attachment:20276.diff] is a first pass at implementing expirable
 sessions. This patch aims to make auth cookies unforgeable with read-only
 access to filesystem and/or database, and invalidate auth cookies upon
 explicit logout.

 On login a long random string, r, is generated. r is included in the
 user's cookie and H(r) is stored in the database. On future requests, r is
 extracted from the cookie and H(r) is compared to the value in the
 database. Storing the hash of r means that read-only SQL injection does
 not allow an attacker to create cookies since they cannot reverse the
 value to find a valid r. Each "session token" is also associated with an
 expiry time, so they can only be used for a limited time.

 This information is stored in the database as a piece of user meta named
 "session_tokens" that is an array mapping the random strings to expiry
 time. Expired tokens are cleared upon login and logout. The current token,
 as found in the cookie, is also removed from the array on logout.

 Questions to answer:

  * Should there be a limit on the number of session tokens?
  * How should the new `$token` parameter be added to
 `wp_generate_auth_cookie()`? Currently it's just added in the middle. This
 is nicer, but not backwards compatible.
  * Could documentation about these "sessions" be confused with native PHP
 sessions?

 Todo:

  * Use the session token as part of nonce generation.
  * Add an action if `wp_verify_session_token()` fails (?)
  * Better method for expiry. `_session_not_expired()` calls `time()` for
 every array element.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/20276#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list