[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions
WordPress Trac
noreply at wordpress.org
Fri Jul 18 09:17:02 UTC 2014
#20276: Tie nonces and cookies to expirable sessions
----------------------------+------------------
Reporter: ryan | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+------------------
Changes (by nacin):
* keywords: has-patch commit dev-feedback =>
Comment:
In [29221]:
Tie cookies and nonces to user sessions so they may be invalidated upon
logout.
Sessions are stored in usermeta via WP_User_Meta_Session_Tokens, which
extends the abstract WP_Session_Tokens class. Extending WP_Session_Tokens
can allow for alternative storage, such as a separate table or Redis.
Introduces some simple APIs for session listing and destruction, such as
wp_get_all_sessions() and wp_destroy_all_sessions().
This invalidates all existing authentication cookies, as a new segment
(the session token) has been added to them.
props duck_, nacin, mdawaffe.
see #20276.
----
Note the original commit message said wp_get_active_sessions() — it is
actually wp_get_all_sessions().
--
Ticket URL: <https://core.trac.wordpress.org/ticket/20276#comment:26>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list