Tie nonces and cookies to expirable sessions
|Reported by:||ryan||Owned by:|
|Severity:||normal||Keywords:||has-patch commit 3.9-early|
|Cc:||scribu, johnbillion, juliobosk@…, xoodrew@…, erick@…, ddebernardy@…|
Description (last modified by duck_)
Authentication cookies are re-usable even after a user decides to explicitly logout. Cookies should be tied to an expirable session that can also be deleted upon logout.
Also, nonce security can be improved by associating them with the same session information. Owasp specifies that "the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session." Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.
Change History (20)
- Keywords has-patch added
- Milestone changed from Future Release to 3.7
- Summary changed from Tie nonces to the current session to Tie nonces and cookies to expirable sessions