[wp-hackers] New secure cookie protocol in trunk

Ryan Boren ryan at boren.nu
Sun Dec 16 18:00:00 GMT 2007

(Cross-posted to hackers and testers)

A new cookie protocol has landed in trunk.  This protocol is based on
the one described here:


The cookie is laid out like so:

user name|expiration time|HMAC( user name|expiration time, k)
where k = HMAC(user name|expiration time, sk)
and where sk is a secret key

sk, the secret key, consists of a random string saved to the options
table in  a "secret" field and a user definable secret key specified
in wp-config.php with the SECRET_KEY define.  If SECRET_KEY is not
defined, the DB connect info is used to construct SECRET_KEY.  Cookies
can be mass-expired by changing SECRET_KEY or "secret" in the options

This protocol requires the hash_hmac() function.  This function is
available only in php 5.1.2 and later, so we added a php
implementation of it to compat.php.  If you are using PHP versions <
5.1.2, let us know if you have any troubles with regard to

The cookie design is still being discussed, so expect some more
changes.  You can join the ongoing design discussion here:


More information about the wp-hackers mailing list