[wp-hackers] Rethinking check_admin_referer()

Owen Winkler ringmaster at midnightcircus.com
Wed Apr 19 19:54:22 GMT 2006

David Chait wrote:
> Wow.  If that's the case I'd prefer to have an AYS prompt on any 
> possibly-nasty GETs (or POSTs), every time.  Screw the referrer check. ;)

Isn't that what I've been saying?  ;)

> And, sorry to jump backwards in the conversation to another thread point, 
> but I know someone mentioned the 'overhead' of actually writing temporary 
> hash codes, Nonces, whatever into the DB (with a timestamp... I did this 
> with a session-based custom PHP app, makes it a bit more secure, especially 
> with the last-visited IP ;).)  But we're talking administration commands 
> with effects here.  Just admins.  The overhead of reading/writing hashes, 
> when/where needed (even if it's every action/submit), for administration 
> should be negligible compared to the hits of hundreds, or thousands of users 
> (or more) per day.  Right?

Check this out:

1. Get a cookie from the client named "Key".
2. Check "Key" for validity by comparing it to a value stored in the 
3. Generate a new random value, store it in the database, and send it 
out as the new value for the cookie "Key".
4. If "Key" was invalid or did not exist, display a "Proceed to Admin" 
page that redirects on submission to the intended page.

Of course the down side is that using the Back button would always cause 
the "Proceed to Admin" page to appear as the next page, and you couldn't 
be logged in as the same user in two different places at once without 
seeing that page pretty frequently.  And the database writes.

Ah, nevermind.

Primarily, using database storage for the nonce becomes inconvenient for 
the case with two users logged in under the same account at different 
locations, since they would presumably be performing different 
operations at the same time, and could very likely never have a valid 
nonce, according to what's stored in the database.

By the time you code a way around that, you've probably reached the 
complexity of the purely computational nonce we've been suggesting, AND 
you've added an additional albeit minor database drain.



More information about the wp-hackers mailing list