[wp-trac] [WordPress Trac] #20276: Tie nonces to the current session
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 21 20:20:58 UTC 2012
#20276: Tie nonces to the current session
--------------------------+----------------------------
Reporter: ryan | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Keywords:
--------------------------+----------------------------
Owasp specifies that "the synchronizer token pattern requires the
generating of random challenge tokens that are associated with the user's
current session." Our nonces have a timeout, but that timeout can span
cookie sessions. Instead, nonces should be somehow tied to the current
auth cookie and invalidate whenever the cookie invalidates.
https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20276>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list