[wp-trac] [WordPress Trac] #34041: Tieing nonces to sessions breaks when users are switched
WordPress Trac
noreply at wordpress.org
Sun Sep 27 10:09:02 UTC 2015
#34041: Tieing nonces to sessions breaks when users are switched
--------------------------+-------------------------
Reporter: westi | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.3.2
Component: Security | Version: 4.3
Severity: normal | Keywords: needs-patch
Focuses: |
--------------------------+-------------------------
Because of the way we have tied nonces to session tokens they are broken
if you write code that follows the following pattern:
* Code switches user using wp_set_current_user
* Code generates a nonce
* ...time happens
* Nonce is verified for the switched user.
The underlying issue is that while we are switched to the different user
we still generate nonces using the session token from the current logged
in users cookie.
This is because wp_get_session_token only checks the cookie and either
gives you back a token for the cookie or an empty string.
This also means if you are authenticating by an alternative method and not
setting cookies - say OAuth Authorization headers - then your nonces don't
get session tokens in them at all.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34041>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list