[wp-testers] New secure cookie protocol in trunk
Matt
speedboxer at gmail.com
Sun Dec 16 20:33:37 GMT 2007
Appears to be working good.
But, when you log out, does it have to say both "You session has expired."
and "Successfully logged you out."?
On Dec 16, 2007 10:00 AM, Ryan Boren <ryan at boren.nu> wrote:
> (Cross-posted to hackers and testers)
>
> A new cookie protocol has landed in trunk. This protocol is based on
> the one described here:
>
> http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
>
> The cookie is laid out like so:
>
> user name|expiration time|HMAC( user name|expiration time, k)
> where k = HMAC(user name|expiration time, sk)
> and where sk is a secret key
>
> sk, the secret key, consists of a random string saved to the options
> table in a "secret" field and a user definable secret key specified
> in wp-config.php with the SECRET_KEY define. If SECRET_KEY is not
> defined, the DB connect info is used to construct SECRET_KEY. Cookies
> can be mass-expired by changing SECRET_KEY or "secret" in the options
> table.
>
> This protocol requires the hash_hmac() function. This function is
> available only in php 5.1.2 and later, so we added a php
> implementation of it to compat.php. If you are using PHP versions <
> 5.1.2, let us know if you have any troubles with regard to
> hash_hmac().
>
> The cookie design is still being discussed, so expect some more
> changes. You can join the ongoing design discussion here:
>
> http://trac.wordpress.org/ticket/5367#comment:29
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
--
Matt (speedboxer at gmail.com)
http://mattsblog.ca/
More information about the wp-testers
mailing list