[wp-trac] [WordPress Trac] #43576: Do not expose user_login through cookies

WordPress Trac noreply at wordpress.org
Mon Mar 19 13:45:26 UTC 2018


#43576: Do not expose user_login through cookies
------------------------------------+-----------------------------
 Reporter:  marcus.downing          |      Owner:
     Type:  enhancement             |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  trunk
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 An ITHC recently reported that the cookies `wordpress_logged_in` and
 `wordpress_sec` contain the current username. This exposes the possibility
 that user's username can be extracted by a third party that is able to
 read the cookie.

 Of course the cookies themselves should be and are protected in other ways
 (including `HttpOnly` and `Secure`), and an attacker who has managed to
 intercept a session cookie already has the means to log in as you; but if
 the security issues seen in recent years (to all software, not just
 WordPress) have taught us anything it's that if you take security serious
 you need to close all the doors, not just one of them.

 I understand that some may regard this as a non-issue, but since it was
 raised to us during a security review we're obliged to take it seriously.


 === Proposed solution ===

 On user login, a unique value is created and saved in usermeta. This value
 should be different each time you log in, and reveal nothing about the
 user or their ID. The value is sent with the cookie in place of the
 username. Multiple such records can and will coexist, representing the
 user logging in from multiple devices.

 On cookie verification, the value is retrieved from usermeta and used to
 find the user ID.

 This solution has the added benefit that it will be harder for an attacker
 to fake a WordPress login cookie even if they have your database and
 salts, since any session they created would not be in the database. On the
 other hand it has a side effect that losing the current user login entries
 from usermeta (such as by reverting to backup database) would invalidate
 login sessions.

 As a downside it would involve a reasonably high turnover of temporary
 records in the usermeta table; it may be preferable to use transient
 entries in the options table instead.

 An alternative solution would be to reversibly encrypt the username part
 of the cookie, and decrypt it on verification.


 === Affected code ===

 In `wp-includes/pluggable.php`, the functions:
 `wp_generate_auth_cookie($user_id, $expiration, $scheme, $token)`
 `wp_validate_auth_cookie($cookie, $scheme)`.

 Note that the pluggable nature of these functions means I can (and
 probably will) write a plugin to address the issue on my own site.
 However, I believe this change may benefit security for others and should
 therefore be addressed in core.


 === Possibly related ===

 #9577 use user_id rather than user_login in the authentication cookie

 This was discussed in a different context and rejected 9 years ago, but
 the issue isn't the same, and I believe we've all learned more about
 security in the last 9 years.

 In particular, this issue suggested using the user's ID rather than their
 username. This provided little or no security benefit, because there are
 various ways of getting a user's login from their ID. My suggestion above
 instead uses a temporary code that reveals nothing and is hard to fake.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43576>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list