Make WordPress Core

Changeset 6387


Ignore:
Timestamp:
12/16/2007 05:41:59 PM (17 years ago)
Author:
ryan
Message:

New secure cookie protocol. see #5367

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/misc.php

    r6025 r6387  
    129129}
    130130
    131 // If siteurl or home changed, reset cookies and flush rewrite rules.
     131// If siteurl or home changed, flush rewrite rules.
    132132function update_home_siteurl( $old_value, $value ) {
    133133    global $wp_rewrite, $user_login, $user_pass_md5;
     
    138138    // If home changed, write rewrite rules to new location.
    139139    $wp_rewrite->flush_rules();
    140     // Clear cookies for old paths.
    141     wp_clearcookie();
    142     // Set cookies for new paths.
    143     wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));
    144140}
    145141
  • trunk/wp-config-sample.php

    r5457 r6387  
    77define('DB_CHARSET', 'utf8');
    88define('DB_COLLATE', '');
     9define('SECRET_KEY', ''); // Change this to a unique phrase.
    910
    1011// You can have multiple installations in one database if you give each a unique prefix
  • trunk/wp-includes/compat.php

    r6309 r6387  
    148148}
    149149
     150if ( ! function_exists('hash_hmac') ):
     151function hash_hmac($algo, $data, $key, $raw_output = false) {
     152    $packs = array('md5' => 'H32', 'sha1' => 'H40');
     153
     154    if ( !isset($packs[$algo]) )
     155        return false;
     156
     157    $pack = $packs[$algo];
     158
     159    if (strlen($key) > 64)
     160        $key = pack($pack, $algo($key));
     161    else if (strlen($key) < 64)
     162        $key = str_pad($key, 64, chr(0));
     163       
     164    $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64));
     165    $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64));
     166
     167    return $algo($opad . pack($pack, $algo($ipad . $data)));
     168}
     169endif;
     170
    150171// Added in PHP 4.3.0?
    151172if (!defined('IMAGETYPE_GIF'))
  • trunk/wp-includes/pluggable.php

    r6385 r6387  
    4747        return;
    4848
    49     if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) ||
    50         !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) {
     49    if ( ! $user = wp_validate_auth_cookie() ) {
    5150        wp_set_current_user(0);
    5251        return false;
    5352    }
    5453
    55     $user_login = $_COOKIE[USER_COOKIE];
    56     wp_set_current_user(0, $user_login);
     54    wp_set_current_user($user);
    5755}
    5856endif;
     
    294292
    295293if ( !function_exists('wp_login') ) :
    296 function wp_login($username, $password, $already_md5 = false) {
     294function wp_login($username, $password, $deprecated = false) {
    297295    global $wpdb, $error;
    298296
     
    314312    }
    315313
    316     // If the password is already_md5, it has been double hashed.
    317     // Otherwise, it is plain text.
    318     if ( !$already_md5 ) {
    319         if ( wp_check_password($password, $login->user_pass) ) {
    320             // If using old md5 password, rehash.
    321             if ( strlen($login->user_pass) <= 32 ) {
    322                 $hash = wp_hash_password($password);
    323                 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'");
    324                 wp_cache_delete($login->ID, 'users');
    325             }
    326 
    327             return true;
    328         }
     314    if ( !wp_check_password($password, $login->user_pass) ) {
     315        $error = __('<strong>ERROR</strong>: Incorrect password.');
     316        return false;
     317    }
     318
     319    // If using old md5 password, rehash.
     320    if ( strlen($login->user_pass) <= 32 ) {
     321        $hash = wp_hash_password($password);
     322        $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'");
     323        wp_cache_delete($login->ID, 'users');
     324    }
     325
     326    return true;
     327}
     328endif;
     329
     330if ( !function_exists('wp_validate_auth_cookie') ) :
     331function wp_validate_auth_cookie($cookie = '') {
     332    if ( empty($cookie) ) {
     333        if ( empty($_COOKIE[AUTH_COOKIE]) )
     334            return false;
     335        $cookie = $_COOKIE[AUTH_COOKIE];
     336    }
     337
     338    list($username, $expiration, $hmac) = explode('|', $cookie);
     339
     340    $expired = $expiration;
     341
     342    // Allow a grace period for POST requests
     343    if ( 'POST' == $_SERVER['REQUEST_METHOD'] )
     344        $expired += 3600;
     345
     346    if ( $expired < time() )
     347        return false;
     348
     349    $key = wp_hash($username . $expiration);
     350    $hash = hash_hmac('md5', $username . $expiration, $key);
     351   
     352    if ( $hmac != $hash )
     353        return false;
     354
     355    $user = get_userdatabylogin($username);
     356    if ( ! $user )
     357        return false;
     358
     359    return $user->ID;
     360}
     361endif;
     362
     363if ( !function_exists('wp_set_auth_cookie') ) :
     364function wp_set_auth_cookie($user_id, $remember = false) {
     365    $user = get_userdata($user_id);
     366
     367    if ( $remember ) {
     368        $expiration = $expire = time() + 1209600;
    329369    } else {
    330         if ( md5($login->user_pass) == $password )
    331             return true;
    332     }
    333 
    334     $error = __('<strong>ERROR</strong>: Incorrect password.');
    335     return false;
     370        $expiration = time() + 172800;
     371        $expire = 0;
     372    }
     373
     374    $key = wp_hash($user->user_login . $expiration);
     375    $hash = hash_hmac('md5', $user->user_login . $expiration, $key);
     376
     377    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
     378
     379    setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
     380    if ( COOKIEPATH != SITECOOKIEPATH )
     381        setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
     382}
     383endif;
     384
     385if ( !function_exists('wp_clear_auth_cookie') ) :
     386function wp_clear_auth_cookie() {
     387    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     388    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     389
     390    // Old cookies
     391    setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     392    setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     393    setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     394    setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 
    336395}
    337396endif;
     
    351410function auth_redirect() {
    352411    // Checks if a user is logged in, if not redirects them to the login page
    353     if ( (!empty($_COOKIE[USER_COOKIE]) &&
    354                 !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||
    355              (empty($_COOKIE[USER_COOKIE])) ) {
     412    if ( (!empty($_COOKIE[AUTH_COOKIE]) &&
     413                !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) ||
     414             (empty($_COOKIE[AUTH_COOKIE])) ) {
    356415        nocache_headers();
    357416
     
    380439        $current_name = '';
    381440        if ( ( $current = wp_get_current_user() ) && $current->ID )
    382             $current_name = $current->data->user_login;
     441            $current_name = $current->user_login;
    383442        if ( !$current_name )
    384443            die('-1');
    385444
     445        $auth_cookie = '';
    386446        $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie
    387447        foreach ( $cookie as $tasty ) {
    388             if ( false !== strpos($tasty, USER_COOKIE) )
    389                 $user = substr(strstr($tasty, '='), 1);
    390             if ( false !== strpos($tasty, PASS_COOKIE) )
    391                 $pass = substr(strstr($tasty, '='), 1);
     448            if ( false !== strpos($tasty, AUTH_COOKIE) )
     449                $auth_cookie = substr(strstr($tasty, '='), 1);
    392450        }
    393451
    394         if ( $current_name != $user || !wp_login( $user, $pass, true ) )
     452        if ( $current_name != $user || empty($auth_cookie) || !wp_validate_auth_cookie( $auth_cookie ) )
    395453            die('-1');
    396454    }
     
    470528
    471529    wp_redirect($location, $status);
    472 }
    473 endif;
    474 
    475 if ( !function_exists('wp_get_cookie_login') ):
    476 function wp_get_cookie_login() {
    477     if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )
    478         return false;
    479 
    480     return array('login' => $_COOKIE[USER_COOKIE],  'password' => $_COOKIE[PASS_COOKIE]);
    481 }
    482 
    483 endif;
    484 
    485 if ( !function_exists('wp_setcookie') ) :
    486 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
    487     $user = get_userdatabylogin($username);
    488     if ( !$already_md5) {
    489         $password = md5($user->user_pass); // Double hash the password in the cookie.
    490     }
    491 
    492     if ( empty($home) )
    493         $cookiepath = COOKIEPATH;
    494     else
    495         $cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );
    496 
    497     if ( empty($siteurl) ) {
    498         $sitecookiepath = SITECOOKIEPATH;
    499         $cookiehash = COOKIEHASH;
    500     } else {
    501         $sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );
    502         $cookiehash = md5($siteurl);
    503     }
    504 
    505     if ( $remember )
    506         $expire = time() + 31536000;
    507     else
    508         $expire = 0;
    509 
    510     setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
    511     setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
    512 
    513     if ( $cookiepath != $sitecookiepath ) {
    514         setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
    515         setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
    516     }
    517 }
    518 endif;
    519 
    520 if ( !function_exists('wp_clearcookie') ) :
    521 function wp_clearcookie() {
    522     setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    523     setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    524     setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    525     setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    526530}
    527531endif;
     
    693697function wp_salt() {
    694698    $salt = get_option('secret');
    695     if ( empty($salt) )
    696         $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH;
    697 
    698     return $salt;
     699    if ( empty($salt) ) {
     700        $salt = wp_generate_password();
     701        update_option('secret', $salt);
     702    }
     703
     704    if ( !defined('SECRET_KEY') || '' == SECRET_KEY )
     705        $secret_key = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH;
     706    else
     707        $secret_key = SECRET_KEY;
     708       
     709    return $salt . $secret_key;
    699710}
    700711endif;
     
    759770}
    760771endif;
     772
     773// Deprecated. Use wp_set_auth_cookie()
     774if ( !function_exists('wp_setcookie') ) :
     775function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
     776    $user = get_userdatabylogin($username);
     777    wp_set_auth_cookie($user->ID, $remember);
     778}
     779endif;
     780
     781// Deprecated. Use wp_clear_auth_cookie()
     782if ( !function_exists('wp_clearcookie') ) :
     783function wp_clearcookie() {
     784    wp_clear_auth_cookie();
     785}
     786endif;
     787
     788// Deprecated.  No alternative.
     789if ( !function_exists('wp_get_cookie_login') ):
     790function wp_get_cookie_login() {
     791    return false;
     792}
     793endif;
     794
    761795?>
  • trunk/wp-includes/registration.php

    r6350 r6387  
    168168    if ( $current_user->id == $ID ) {
    169169        if ( isset($plaintext_pass) ) {
    170             wp_clearcookie();
    171             wp_setcookie($userdata['user_login'], $plaintext_pass);
     170            wp_clear_auth_cookie();
     171            wp_set_auth_cookie($ID);
    172172        }
    173173    }
  • trunk/wp-login.php

    r6385 r6387  
    289289    $user_login = '';
    290290    $user_pass = '';
    291     $using_cookie = FALSE;
    292291
    293292    if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() )
     
    297296
    298297    if ( $http_post ) {
     298        // If cookies are disabled we can't log in even with a valid user+pass
     299        if ( empty($_COOKIE[TEST_COOKIE]) )
     300            $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.');
     301       
    299302        $user_login = $_POST['log'];
    300303        $user_login = sanitize_user( $user_login );
    301304        $user_pass  = $_POST['pwd'];
    302305        $rememberme = $_POST['rememberme'];
     306
     307        do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass));
    303308    } else {
    304         $cookie_login = wp_get_cookie_login();
    305         if ( ! empty($cookie_login) ) {
    306             $using_cookie = true;
    307             $user_login = $cookie_login['login'];
    308             $user_pass = $cookie_login['password'];
    309         }
    310     }
    311 
    312     do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass));
    313 
    314     // If cookies are disabled we can't log in even with a valid user+pass
    315     if ( $http_post && empty($_COOKIE[TEST_COOKIE]) )
    316         $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.');
     309        $user = wp_validate_auth_cookie();
     310        if ( !$user ) {
     311            $errors['expiredsession'] = __('Your session has expired.');
     312        } else {
     313            $user = new WP_User($user);
     314
     315            // If the user can't edit posts, send them to their profile.
     316            if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
     317                $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
     318            wp_safe_redirect($redirect_to);
     319            exit();
     320        }
     321    }
    317322
    318323    if ( $user_login && $user_pass && empty( $errors ) ) {
     
    323328            $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
    324329
    325         if ( wp_login($user_login, $user_pass, $using_cookie) ) {
    326             if ( !$using_cookie )
    327                 wp_setcookie($user_login, $user_pass, false, '', '', $rememberme);
     330        if ( wp_login($user_login, $user_pass) ) {
     331            wp_set_auth_cookie($user->ID, $rememberme);
    328332            do_action('wp_login', $user_login);
    329333            wp_safe_redirect($redirect_to);
    330334            exit();
    331         } else {
    332             if ( $using_cookie )
    333                 $errors['expiredsession'] = __('Your session has expired.');
    334335        }
    335336    }
  • trunk/wp-settings.php

    r6325 r6387  
    187187
    188188if ( !defined('USER_COOKIE') )
    189     define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
     189    define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH);
    190190if ( !defined('PASS_COOKIE') )
    191     define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
     191    define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH);
     192if ( !defined('AUTH_COOKIE') )
     193    define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH);
    192194if ( !defined('TEST_COOKIE') )
    193195    define('TEST_COOKIE', 'wordpress_test_cookie');
Note: See TracChangeset for help on using the changeset viewer.