[wp-trac] [WordPress Trac] #20276: Tie nonces and cookies to expirable sessions
WordPress Trac
noreply at wordpress.org
Thu May 29 20:47:57 UTC 2014
#20276: Tie nonces and cookies to expirable sessions
-------------------------------------------+------------------
Reporter: ryan | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch commit dev-feedback | Focuses:
-------------------------------------------+------------------
Comment (by nacin):
Replying to [comment:19 jeremyfelt]:
> One note so far—if the salt keys in wp-config.php are changed, the
session is invalidated as expected. However, the original session is not
removed from the DB and the new session piles on. This *could* cause
clutter over time.
They'll eventually be removed upon expiration. By default, WordPress
allows sessions to last for 48 hours, and "Remember me" extends that to 14
days. So the clutter would not be severe.
However, I'd like to bump "Remember me" to something like 30, 60, 90, or
even 365 days once we get this in. That could indeed result in clutter.
I'm not terribly concerned about more stuff in the DB, but since these
sessions are invalid, then the get_sessions() method would lie when used
for presentation purposes.
One option would be to take all keys/salts and hash them into a single DB
option, and watch for that hash to change. If it does, simply invalidate
all sessions, since that's what is happening anyway. That's achievable via
API with `delete_metadata( 'user', false, 'session_tokens', '', true );`
and would probably be wrapped up into a
static`destroy_sessions_for_all_users()` method.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/20276#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list