id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
8212,generate/validate_auth_cookie doesn't always check scheme,tellyworth,anonymous,"When using wp_generate_auth_cookie() and wp_validate_auth_cookie() with one of the standard auth schemes (auth, secure_auth, logged_in), the cookie will correctly fail to validate if the wrong scheme is used:

{{{
		$cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth');
		$this->assertEquals( 1, wp_validate_auth_cookie($cookie, 'auth') ); // pass

		$cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth');
		$this->assertEquals( false, wp_validate_auth_cookie($cookie, 'logged_in') ); // pass
}}}

However this is not the case when arbitrary auth schemes are used.  The cookie will validate even if the scheme is incorrect.

{{{
		$cookie = wp_generate_auth_cookie(1, time() - 3600, 'foo');
		$this->assertEquals( false, wp_validate_auth_cookie($cookie, 'bar') ); // this should fail, but doesn't
}}}

The reason the built-in schemes work as expected is that they each use a unique salt.  Arbitrary schemes all use the same salt (see wp_salt()).

NB: I don't believe this is a core security issue, but fixing it could prevent future problems.",defect (bug),closed,normal,2.7,General,,normal,fixed,,