[wp-hackers] sessions vs. cookies

Matt Mullenweg m at mullenweg.com
Tue Apr 18 00:36:43 GMT 2006

John Joseph Bachir wrote:
> Isn't it currently the case that the double-hashed password is sent on 
> every request, and anyone who manages to steal it has full access as a 
> user?

Correct. Just as anyone who steals a session token has access to that 
user's session.

In several years, I have not heard about anyone getting their cookie 
stolen and having their blog messed with, even though this is a pretty 
trivial hack theoretically.

For blogs with heightened security requirements I'd recommend the 
secure-admin[1] plugin, which encrypts everything and puts the sensitive 
bits under a SSL-only cookie. However for most people, including myself, 
this would be overkill.

[1] http://downloads.wordpress.org/plugin/secure-admin.zip
[1] http://dev.wp-plugins.org/browser/secure-admin/

Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com

More information about the wp-hackers mailing list