[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions

WordPress Trac noreply at wordpress.org
Wed Aug 27 02:11:36 UTC 2014 

#20276: Tie nonces and cookies to expirable sessions
----------------------------+---------------------
 Reporter:  ryan            |       Owner:
     Type:  task (blessed)  |      Status:  closed
 Priority:  normal          |   Milestone:  4.0
Component:  Security        |     Version:
 Severity:  normal          |  Resolution:  fixed
 Keywords:                  |     Focuses:
----------------------------+---------------------

Comment (by nacin):

 After flexing the API as a result of starting development on a plugin and
 also presenting about it at WordCamp Boston last weekend, I noticed a
 pretty major hole — there was no way to get session information, given a
 token. A good use case would be to get the active session and attach new
 session information to it. You could call update_token() but there was no
 getter.

 get_token( $token ) (returning a session) didn't make sense, and at this
 point, mdawaffe and I realized that the API — using token for public
 methods, _session for the abstract protected ones — could benefit from
 some method renaming. Hence [29635].

 The new prototypes are:
 {{{
 protected function __construct( $user_id ) {

 final public static function get_instance( $user_id ) {
 final public function get( $token ) {
 final public function verify( $token ) {
 final public function create( $expiration ) {
 final public function update( $token, $session ) {
 final public function destroy( $token ) {
 final public function destroy_others( $token_to_keep ) {
 final public function destroy_all() {
 final public static function destroy_all_for_all_users() {
 final public function get_all() {

 final private function hash_token( $token ) {
 final protected function is_still_valid( $session ) {

 abstract protected function get_sessions();
 abstract protected function get_session( $verifier );
 abstract protected function update_session( $verifier, $session = null );
 abstract protected function destroy_other_sessions( $verifier );
 abstract protected function destroy_all_sessions();

 public static function drop_sessions() {}
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/20276#comment:51>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list