[wp-trac] [WordPress Trac] #43576: Do not expose user_login through cookies
WordPress Trac
noreply at wordpress.org
Mon Mar 19 23:27:48 UTC 2018
#43576: Do not expose user_login through cookies
------------------------------------+----------------------
Reporter: marcus.downing | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Login and Registration | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
------------------------------------+----------------------
Changes (by peterwilsoncc):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
As has been discussed in other tickets, the WordPress project doesn't
consider usernames or user ids to be private or secure information. A
username is part of your online identity. It is meant to identify, not
verify, who you are saying you are. Verification is the job of the
password.
Many major online establishments — such as Google and Facebook — have done
away with usernames in favor of email addresses, which are shared around
constantly and freely. WordPress has also moved this way, allowing users
to log in with an email address or username since version 4.5.
The text you refer to the documentation for
[https://codex.wordpress.org/WordPress_Cookies#Non-Version-Specific_Data
login cookies] is referring to gleaning '''both''' the username and
password. Granted, the text could do with a minor edit to make this
clearer.
For additional protection of logins, you can also consider the
[https://wordpress.org/plugins/two-factor/ two factor authentication]
plugin.
I'm going to close this ticket as wontfix as username exposure has been
discussed in several related tickets: #3708, #5301, #5388, #14644, #20235.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43576#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list