[wp-hackers] New secure cookie protocol in trunk

Ryan Boren ryan at boren.nu
Sun Dec 16 18:00:00 GMT 2007


(Cross-posted to hackers and testers)

A new cookie protocol has landed in trunk.  This protocol is based on
the one described here:

http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

The cookie is laid out like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

sk, the secret key, consists of a random string saved to the options
table in  a "secret" field and a user definable secret key specified
in wp-config.php with the SECRET_KEY define.  If SECRET_KEY is not
defined, the DB connect info is used to construct SECRET_KEY.  Cookies
can be mass-expired by changing SECRET_KEY or "secret" in the options
table.

This protocol requires the hash_hmac() function.  This function is
available only in php 5.1.2 and later, so we added a php
implementation of it to compat.php.  If you are using PHP versions <
5.1.2, let us know if you have any troubles with regard to
hash_hmac().

The cookie design is still being discussed, so expect some more
changes.  You can join the ongoing design discussion here:

http://trac.wordpress.org/ticket/5367#comment:29


More information about the wp-hackers mailing list