[wp-hackers] sessions vs. cookies

John Joseph Bachir jjb at ibiblio.org
Mon Apr 17 16:52:29 GMT 2006

(starting a new thread to keep things tiddy)

>> (as an aside, why is authentication done directly with cookies instead 
>> of with sessions?)

> Protecting session ids is a chore, they're sent back and forth on each 
> request, and anybody who manages to steal one now has full access as a 
> user. The only way sessions can be more secure than cookies is if its 
> all done over SSL, something that is not an option for the everday blog

Isn't it currently the case that the double-hashed password is sent on 
every request, and anyone who manages to steal it has full access as a 

aim/yim/msn/jabber.org: johnjosephbachir

More information about the wp-hackers mailing list