[wp-hackers] Rethinking check_admin_referer()
Brian at TheCodeCave.com
Tue Apr 18 14:32:52 GMT 2006
>You can reduce the number of
>hashes that need to be computed (so you don't have to compute the
>hash for every minute, going back an hour) by adding the last unit of
>time as floor($minutes/5) so that the time appears to jump from 12:00
>to 12:05 to 12:10 which means you don't have to check all the
Agreed, you would just need to decide what time period the functions would
require. I was worried when I saw the other comment about mailing out links
with these nonces. You want them to be as specific as possible and if they
don't expire, you've already given up a lot of your security.
We use nonces in several ways where I work. With one method we create a
single nonce that is very much like a "I am a super user" badge. It is
only good for a certain period of time and if the client's time is off, it
is disfunctional. Additionly, the functions that produce the nonce have
specific checks that prevent the nonce from being created for a time too far
in the future.
This approach would be simplified for a web app, for the time used in the
hash will always be the server time because nothing is done client side.
Also, there is no need to "post date" a hash allowing it to be good for
perhaps "tommorrow morning". Finally, the server time is not easily
adjusted. With client side checks you must worry about the user manually
adjusting the system time in order to get the same free lunch over and over
The other method we use unlocks a specific specific function for a specific
user for a specific time period. So, our method could include in the hash:
1. A unique identifier for the database being used.
2. The time the nonce was created.
3. A unique identifier for the function to be accessed.
The fact that we are closed source means #3 is a lot more secure for us than
it would be for WordPress.
Please forgive me as I work through the current nonce proposal for
WordPress. Much of this has been stated already in the earlier posts, so
please don't jump all over me if I am restating the obvious. Other parts of
it are just rambling as I am working through ideas...
1. "Are You Sure?" checks on every action performed would provide the most
safety. The idea of using a NONCE is to provide additional security in a
way that does not annoy the users and make WP a pain to use.
2. The goal of the nonce is to prevent a validly logged in admin from
performing unintented administrative activities.
3. A nonce could be created for system wide access, some sort of unit level
access (message management vs comment management vs link management), or for
each specific function (Delete comment <> Mark as spam). This will have to
4. If a nonce validation fails, the user could be prompted with a "Are you
sure?" (this could be done from the nonce verification routine) or forbidden
to take the action. This will have to be decided.
5. In WordPress, a nonce will not be the only security check required. IOW
a user must be logged in and have the proper security in the first place for
the desired action to proceed. This makes life a bit easier.
6. Because WordPress is open-source and popular, nonces can't use a
standardized and predictable method or spammers will just generate nonces
themselves. The method must be variable and that probably means a random
number will have to be used in the hash.
7. If the generation method is random, that means either the resulting hash
must be stored server side for verification purposes OR the number used to
generate the hash must be stored.
8. If a nonce is NOT used in emailed hyperlinks, the random number can be
tied to a user's session and can expire with that session.
9. If nonces are to be used in emailed hyperlinks, the linked administrative
actions could then be taken/activated at any time. This means there is no
specific trigger event that can be used to generate a new random number to
be used in hash method.
10. Wordpress /could/ expire and create nonces at the server time midnight
barrier. This could, be done through a simple SQL statement that assigned a
random number to a field in each user record.
11. If the nonces expire, the user will not know for sure whether a link
sent to them will always produce the same behavior. Whether a nonce expires
after two hours, 24 hours or at the midnight barrier, some users will be
confused about why they sometimes are prompted with "Are You Sure?" and
sometimes they are not. If the midnight barrier is used, the user could
know that when the click on a link in an email sent yesterday (server time)
they will be prompted. It the email was sent today (server time), they will
not get an extra prompt.
12. User sessions that pass the midnight barrier could complicate things.
If they click on a hyperlink that was generated "the day before", then they
will be prompted or denied. (Unless we allow a free pass one-action-pass to
sessions that started the day before. This creates a very small security
hole. We could somehow AJAX them a new page at midnight I guess, but that
seems a bit scary.)
I'll think on this more later, but I thought I would "share" what I've been
tossing around so far...
More information about the wp-hackers