[wp-hackers] sessions vs. cookies
Matt Mullenweg
m at mullenweg.com
Tue Apr 18 00:36:43 GMT 2006
John Joseph Bachir wrote:
> Isn't it currently the case that the double-hashed password is sent on
> every request, and anyone who manages to steal it has full access as a
> user?
Correct. Just as anyone who steals a session token has access to that
user's session.
In several years, I have not heard about anyone getting their cookie
stolen and having their blog messed with, even though this is a pretty
trivial hack theoretically.
For blogs with heightened security requirements I'd recommend the
secure-admin[1] plugin, which encrypts everything and puts the sensitive
bits under a SSL-only cookie. However for most people, including myself,
this would be overkill.
[1] http://downloads.wordpress.org/plugin/secure-admin.zip
[1] http://dev.wp-plugins.org/browser/secure-admin/
--
Matt Mullenweg
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers
mailing list