[wp-hackers] Rethinking check_admin_referer()
Owen Winkler
ringmaster at midnightcircus.com
Wed Apr 19 19:54:22 GMT 2006
David Chait wrote:
> Wow. If that's the case I'd prefer to have an AYS prompt on any
> possibly-nasty GETs (or POSTs), every time. Screw the referrer check. ;)
Isn't that what I've been saying? ;)
> And, sorry to jump backwards in the conversation to another thread point,
> but I know someone mentioned the 'overhead' of actually writing temporary
> hash codes, Nonces, whatever into the DB (with a timestamp... I did this
> with a session-based custom PHP app, makes it a bit more secure, especially
> with the last-visited IP ;).) But we're talking administration commands
> with effects here. Just admins. The overhead of reading/writing hashes,
> when/where needed (even if it's every action/submit), for administration
> should be negligible compared to the hits of hundreds, or thousands of users
> (or more) per day. Right?
Check this out:
1. Get a cookie from the client named "Key".
2. Check "Key" for validity by comparing it to a value stored in the
database.
3. Generate a new random value, store it in the database, and send it
out as the new value for the cookie "Key".
4. If "Key" was invalid or did not exist, display a "Proceed to Admin"
page that redirects on submission to the intended page.
Of course the down side is that using the Back button would always cause
the "Proceed to Admin" page to appear as the next page, and you couldn't
be logged in as the same user in two different places at once without
seeing that page pretty frequently. And the database writes.
Ah, nevermind.
Primarily, using database storage for the nonce becomes inconvenient for
the case with two users logged in under the same account at different
locations, since they would presumably be performing different
operations at the same time, and could very likely never have a valid
nonce, according to what's stored in the database.
By the time you code a way around that, you've probably reached the
complexity of the purely computational nonce we've been suggesting, AND
you've added an additional albeit minor database drain.
Woo-hoo!
Owen
More information about the wp-hackers
mailing list