[wp-trac] [WordPress Trac] #25287: 3.6 introduced a cookie with a non-"wordpress_" prefix. Some reverse proxy setups affected.
WordPress Trac
noreply at wordpress.org
Wed Oct 2 21:55:01 UTC 2013
#25287: 3.6 introduced a cookie with a non-"wordpress_" prefix. Some reverse proxy
setups affected.
--------------------------+--------------------
Reporter: markjaquith | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6.2
Component: General | Version: 3.6
Severity: normal | Resolution:
Keywords: |
--------------------------+--------------------
Comment (by nacin):
So, I'm actually not sure how big of a problem this is.
Other cookies in WordPress include:
* comment_author_*
* wp-settings*
* wp-postpass*
While wordpress_ is used for authentication cookies by default, we do use
`wp-` for post passwords and user settings, and then we also use comment_*
for people leaving comments.
It seems that blocking 'wp-' is very important and was already an existing
thing.
Additionally, johnbillion points out in IRC that we don't have any site-
specific cookies ($blog_id-specific, that is). And we probably don't need
one here, either, given how it is set and removed quickly.
I think all we need to do is set this cookie up with the right path and
domain.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25287#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list