[wp-trac] [WordPress Trac] #16483: Visibility: password-protected exposes multiple pages

Tue Jun 13 18:04:37 UTC 2017

#16483: Visibility: password-protected exposes multiple pages
-------------------------------------------------+-------------------------
 Reporter:  monkeyhouse                          |       Owner:
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  4.9
Component:  Security                             |     Version:  3.0.4
 Severity:  normal                               |  Resolution:
 Keywords:  dev-feedback needs-testing has-      |     Focuses:
  patch early                                    |
-------------------------------------------------+-------------------------

Comment (by partyfrikadelle):

 You asked for a use-case where the actual behaviour makes sense? ;-) We
 got a customer, that uses same passwords over several Pages to make a
 complete "Chapter" available for the Users without having to "log in"
 again on every page.

 I'm pretty unsure if you can call the actual behaviour a real "security
 risk". If the User just has to enter a password, he ALREADY KNOWS for the
 Site, i would not call that "secure" actually.

 Let's be honest: 2 Parts of the actual Solution make it practically
 impossible to make it secure. One per-Page-Password will never be really
 secure. And the Password hashed in the Cookie? Will always be unsecure in
 my point of view.

 The One-Cookie-Per-Post-Solution implies Problems for all Sites, that rely
 on CDN-Services like Cloudfront, that rely on Cookies and/or Header-
 Information to cache content. Having individual Cookies for every post
 will make it impossible to to whitelist Cookies properly AND preventing
 that a logged-in will get a complete personal cache because of a very
 specific Cookie-Set.

 For preventing the above behaviour even for the normal password-cookie, i
 set the lifetime of the password-cookie to 1 second. This makes the user
 to enter the password on every page. Even if you reload the actual one.
 {{{#!php
 <?php
 function szs_set_cookie_expire () {
         return time() + 1; // 1 second.
 }
 add_filter('post_password_expires', 'szs_set_cookie_expire', 99);
 }}}
 But by that way no password-cookie ist sent at the next request and a CDN
 can response with the cached version as expected.

 I would imagine that making the underlying security-problems with using
 the Post-Passwords more transparent is more important than changing one
 unsecure behaviour to a practically just as unsecure behaviour.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16483#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform