[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Thu Apr 20 01:56:19 GMT 2006

On 4/19/06, Geoff Johnson <thunderlove at gmail.com> wrote:
> Am I missing something?  Again, why not a random cookie value each time??
> Each time a page is generated, a random cookie is given to the user (say,
> any user who already has a cookie).   The page being generated has this
> unique random key embedded in any admin 'edit' links.
> When a request is made of an admin, along with (instead of, before) the
> refer check, simply compare the cookie to the key embedded in the link.

I open a new tab, browse some other page in my admin which overwrites
said cookie, come back and try to submit that form (maybe I want to
double check something on one of the manage pages before making my
choice). The cookie has been overwritten and now no longer matches,
and your system has caused an inconvinience for no [good] reason.

> The database strategy seems overkill to me -- we only need to validate the
> link, not the user :)   I have no objection to using the database to
> authenticate links, certainly, but it seems like unnecessary overhead, not
> to mention a minor PITA.

This is why we'd like computational hashes that automatically expire
within a certain time period.

> Another advantage of the random cookie idea:  automation with curl et al,
> would be easy.


--Robert Deaton

More information about the wp-hackers mailing list