[wp-hackers] Rethinking check_admin_referer()

Geoff Johnson thunderlove at gmail.com
Mon Apr 17 21:55:53 GMT 2006

I'm wondering if there is any need for a key/PID...  What if a random value
was used each time, and saved as an admin cookie?

A unique id could be generated each time an admin page is viewed, and
embedded in the link.


$cval = md5( rand() . time() . microtime() );
setcookie( 'testCookie', $cval );

if( !isset( $_REQUEST['passkey'] ) ) {
        <a href="/test.php?passkey=<?php echo $cval; ?>">test it!</a>
} else if ( $_COOKIE['testCookie'] === $_REQUEST['passkey'] ) {
        <h3>Access Granted</h3>
} else {
        <h3>Access Denied</h3>

More information about the wp-hackers mailing list