Opened 4 years ago
Closed 4 years ago
#9577 closed enhancement (wontfix)
use user_id rather than user_login in the authentication cookie
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Users | Version: | 2.8 |
| Severity: | minor | Keywords: | has-patch early |
| Cc: |
Description
suggested enhancement:
- prevent username from matching /d+/
- use user_id, instead of user_login, in the authentication cookie
Attachments (1)
Change History (12)
- Keywords has-patch tested added
- Keywords dev-feedback added
I think we went with username instead of ID in the cookie because we expose usernames in so many other places that isn't really very private.
Sounds reasonable. It *could* be an issue when the username is an email, though. ;-)
- Keywords dev-feedback removed
see also: #9568
- Resolution set to wontfix
- Status changed from new to closed
Since you took care of the email case in your other patch, I'd like to say wontfix on this one.
- Component changed from Security to Users
- Keywords early added
- Milestone set to 2.9
- Resolution wontfix deleted
- Status changed from closed to reopened
actually, the user_nicename and the cookie are separate issues.
the cookie currently contains the user_login, rather than the user_nicename. I could change the patch to use the user_nicename if you think it's preferrable.
- Keywords tested removed
- Severity changed from normal to minor
still applies clean, but delaying this until we get the log in using email address thingy done. else, it makes no sense to get this into WP.
- Milestone 2.9 deleted
- Resolution set to wontfix
- Status changed from reopened to closed
closing this, based on westi's suggestion in the #9568
this one might be worth a discussion in wp-hackers. it is meant to prevent the username to be passed in the cookie.
it *might* break a plugin or two that relies on the auth_cookie_bad_username hook. we could alternatively keep that hook's name unchanged, but the semantics would wrong. or we could fire both auth_cookie_bad_username *and* auth_cookie_bad_user_id, passing the user_id each time -- to ensure 100% backwards compat.