[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions
WordPress Trac
noreply at wordpress.org
Wed Aug 7 14:29:18 UTC 2013
#20276: Tie nonces and cookies to expirable sessions
-------------------------+------------------
Reporter: ryan | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.7
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch |
-------------------------+------------------
Old description:
> Owasp specifies that "the synchronizer token pattern requires the
> generating of random challenge tokens that are associated with the user's
> current session." Our nonces have a timeout, but that timeout can span
> cookie sessions. Instead, nonces should be somehow tied to the current
> auth cookie and invalidate whenever the cookie invalidates.
>
> https://www.owasp.org/index.php/Cross-
> Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
New description:
Authentication cookies are re-usable even after a user decides to
explicitly logout. Cookies should be tied to an expirable session that can
also be deleted upon logout.
Also, nonce security can be improved by associating them with the same
session information. Owasp specifies that "the synchronizer token pattern
requires the generating of random challenge tokens that are associated
with the user's current session." Our nonces have a timeout, but that
timeout can span cookie sessions. Instead, nonces should be somehow tied
to the current auth cookie and invalidate whenever the cookie invalidates.
https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
--
Comment (by duck_):
> How should the new $token parameter be added to
wp_generate_auth_cookie()? Currently it's just added in the middle. This
is nicer, but not backwards compatible.
The best solution to this is probably going to be to have `$token` added
as an optional fourth parameter. If it is not present then a session token
will be generated automatically.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20276#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list