[wp-hackers] Rethinking check_admin_referer()
John Joseph Bachir
jjb at ibiblio.org
Mon Apr 17 14:32:38 GMT 2006
On Mon, 17 Apr 2006, Mark Jaquith wrote:
> 1) function wp_secure_form($key='') { }
> This function would echo out a hidden from input with an md5 hash
> computed on (a) the database password, (b) the userid, and (c) the
> optional key.
> 2) function wp_check_form($key='') { }
>
> This would just compare the computed hash against $_POST
> ['wp_secure_form_key']; or something.
This is precisely what I have done with Lyceum. The relevant functions are
in this file starting at line 115:
http://source.ibiblio.org/trac/lyceum/browser/trunk/src/lib/functions.php
Every form or administrative link in the system is given a token:
function tokeninput($targetscript, $action='default', $id=0){
$token = formtoken($targetscript, $action, $id);
return "<input type=\"hidden\" name=\"token\" value=\"$token\" />";
}
And is validated at the receiving end:
function validateToken( $token, $targetscript, $action='default', $id=0 ){
if (!tokenIsValid( $token, $targetscript, $action, $id ))
badTokenMessage();
}
The tokens are specific to a logged-in user, and expire after a set time.
After they are validated, they are deleted. The timeout feature of this
needs a bit of refinement, because right now if someone edits a post for
more than the timeout time, they will loose their post. But overall I am
very happy with how this system fits into the rest of my code.
Right now the tokens are being managed with a php session, but they could
also be put into the database if y'all don't like using sessions (as an
aside, why is authentication done directly with cookies instead of with
sessions?)
John
----
aim/yim/msn/jabber.org: johnjosephbachir
713.494.2704
irc://irc.freenode.net/lyceum
http://lyceum.ibiblio.org/
http://blog.johnjosephbachir.org/
More information about the wp-hackers
mailing list