[wp-trac] [WordPress Trac] #19599: Localizations should not need to worry about the default secret key

WordPress Trac wp-trac at lists.automattic.com
Thu May 24 07:42:39 UTC 2012


#19599: Localizations should not need to worry about the default secret key
----------------------------+-----------------------
 Reporter:  nacin           |       Owner:  nacin
     Type:  task (blessed)  |      Status:  reopened
 Priority:  high            |   Milestone:  3.4
Component:  I18N            |     Version:  3.4
 Severity:  blocker         |  Resolution:
 Keywords:  has-patch       |
----------------------------+-----------------------

Comment (by markjaquith):

 Having the update-initiating user get kicked out during the update process
 is unacceptable. Terrible user experience. That's the blocker. Less of a
 blocker, but still annoying, is that other site users will get their
 cookies invalidated.

 Proposal: for 3.4, we continue to accept login cookies salted with the old
 default constant salts, and upgrade them to the new cookie with the db-
 driven salts on the fly. Then, for 3.5, we stop accepting the old default
 constant salts. This puts off the security-enhancing benefit, but will
 result in a better user experience, as only people who haven't logged in
 to WP since 3.3 will get the boot in 3.5.

 Thoughts?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19599#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list