[wp-hackers] Wordpress Cookie Authentication Vulnerability

Travis Snoozy ai2097 at users.sourceforge.net
Thu Nov 22 03:44:54 GMT 2007


On Wed, 21 Nov 2007 22:34:05 -0500, Callum Macdonald
<lists.automattic.com at callum-macdonald.com> wrote:

<snip>
> > 2. Cookies: Why are we using double-MD5 as the cookie? Why are we
> > not using PHP Sessions instead? This would prevent this problem.
> > Anybody know?
> >   
> Sessions don't allow persistent logins. I don't think the current 
> solution is a particularly major vulnerability, although I think it 
> would make sense to store a login token and update that every time
> the user logs in. That token is then written to the cookie (as in
> MediaWiki for example).

Please don't make me repeat myself[1]. ;)

> This raises the question, if somebody writes the code, how does it
> end up in core?

See above. :p

We could argue ad infinum over usability vs. security. People closer
to the actual installation (read: admins) are better at making that
choice than the package itself. Which isn't to say that there shouldn't
be options or a reasonably secure default -- but write the code first.
Make the options available, and *then* partake of as much bickering
over which should be default and/or in core as you please. :)


-- 
Travis 

In Series maintainer
Random coder & quality guy
<http://remstate.com/>

[1]
http://comox.textdrive.com/pipermail/wp-hackers/2007-November/016215.html


More information about the wp-hackers mailing list