WordPress.org

Make WordPress Core

Changeset 6387


Ignore:
Timestamp:
12/16/07 17:41:59 (6 years ago)
Author:
ryan
Message:

New secure cookie protocol. see #5367

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/misc.php

    r6025 r6387  
    129129} 
    130130 
    131 // If siteurl or home changed, reset cookies and flush rewrite rules. 
     131// If siteurl or home changed, flush rewrite rules. 
    132132function update_home_siteurl( $old_value, $value ) { 
    133133    global $wp_rewrite, $user_login, $user_pass_md5; 
     
    138138    // If home changed, write rewrite rules to new location. 
    139139    $wp_rewrite->flush_rules(); 
    140     // Clear cookies for old paths. 
    141     wp_clearcookie(); 
    142     // Set cookies for new paths. 
    143     wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' )); 
    144140} 
    145141 
  • trunk/wp-config-sample.php

    r5457 r6387  
    77define('DB_CHARSET', 'utf8'); 
    88define('DB_COLLATE', ''); 
     9define('SECRET_KEY', ''); // Change this to a unique phrase. 
    910 
    1011// You can have multiple installations in one database if you give each a unique prefix 
  • trunk/wp-includes/compat.php

    r6309 r6387  
    148148} 
    149149 
     150if ( ! function_exists('hash_hmac') ): 
     151function hash_hmac($algo, $data, $key, $raw_output = false) { 
     152    $packs = array('md5' => 'H32', 'sha1' => 'H40'); 
     153 
     154    if ( !isset($packs[$algo]) ) 
     155        return false; 
     156 
     157    $pack = $packs[$algo]; 
     158 
     159    if (strlen($key) > 64) 
     160        $key = pack($pack, $algo($key)); 
     161    else if (strlen($key) < 64) 
     162        $key = str_pad($key, 64, chr(0)); 
     163         
     164    $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 
     165    $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 
     166 
     167    return $algo($opad . pack($pack, $algo($ipad . $data))); 
     168} 
     169endif; 
     170 
    150171// Added in PHP 4.3.0? 
    151172if (!defined('IMAGETYPE_GIF')) 
  • trunk/wp-includes/pluggable.php

    r6385 r6387  
    4747        return; 
    4848 
    49     if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || 
    50         !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { 
     49    if ( ! $user = wp_validate_auth_cookie() ) { 
    5150        wp_set_current_user(0); 
    5251        return false; 
    5352    } 
    5453 
    55     $user_login = $_COOKIE[USER_COOKIE]; 
    56     wp_set_current_user(0, $user_login); 
     54    wp_set_current_user($user); 
    5755} 
    5856endif; 
     
    294292 
    295293if ( !function_exists('wp_login') ) : 
    296 function wp_login($username, $password, $already_md5 = false) { 
     294function wp_login($username, $password, $deprecated = false) { 
    297295    global $wpdb, $error; 
    298296 
     
    314312    } 
    315313 
    316     // If the password is already_md5, it has been double hashed. 
    317     // Otherwise, it is plain text. 
    318     if ( !$already_md5 ) { 
    319         if ( wp_check_password($password, $login->user_pass) ) { 
    320             // If using old md5 password, rehash. 
    321             if ( strlen($login->user_pass) <= 32 ) { 
    322                 $hash = wp_hash_password($password); 
    323                 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 
    324                 wp_cache_delete($login->ID, 'users'); 
    325             } 
    326  
    327             return true; 
    328         } 
     314    if ( !wp_check_password($password, $login->user_pass) ) { 
     315        $error = __('<strong>ERROR</strong>: Incorrect password.'); 
     316        return false; 
     317    } 
     318 
     319    // If using old md5 password, rehash. 
     320    if ( strlen($login->user_pass) <= 32 ) { 
     321        $hash = wp_hash_password($password); 
     322        $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 
     323        wp_cache_delete($login->ID, 'users'); 
     324    } 
     325 
     326    return true; 
     327} 
     328endif; 
     329 
     330if ( !function_exists('wp_validate_auth_cookie') ) : 
     331function wp_validate_auth_cookie($cookie = '') { 
     332    if ( empty($cookie) ) { 
     333        if ( empty($_COOKIE[AUTH_COOKIE]) ) 
     334            return false; 
     335        $cookie = $_COOKIE[AUTH_COOKIE]; 
     336    } 
     337 
     338    list($username, $expiration, $hmac) = explode('|', $cookie); 
     339 
     340    $expired = $expiration; 
     341 
     342    // Allow a grace period for POST requests 
     343    if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) 
     344        $expired += 3600; 
     345 
     346    if ( $expired < time() ) 
     347        return false; 
     348 
     349    $key = wp_hash($username . $expiration); 
     350    $hash = hash_hmac('md5', $username . $expiration, $key); 
     351     
     352    if ( $hmac != $hash ) 
     353        return false; 
     354 
     355    $user = get_userdatabylogin($username); 
     356    if ( ! $user ) 
     357        return false; 
     358 
     359    return $user->ID; 
     360} 
     361endif; 
     362 
     363if ( !function_exists('wp_set_auth_cookie') ) : 
     364function wp_set_auth_cookie($user_id, $remember = false) { 
     365    $user = get_userdata($user_id); 
     366 
     367    if ( $remember ) { 
     368        $expiration = $expire = time() + 1209600; 
    329369    } else { 
    330         if ( md5($login->user_pass) == $password ) 
    331             return true; 
    332     } 
    333  
    334     $error = __('<strong>ERROR</strong>: Incorrect password.'); 
    335     return false; 
     370        $expiration = time() + 172800; 
     371        $expire = 0; 
     372    } 
     373 
     374    $key = wp_hash($user->user_login . $expiration); 
     375    $hash = hash_hmac('md5', $user->user_login . $expiration, $key); 
     376 
     377    $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 
     378 
     379    setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); 
     380    if ( COOKIEPATH != SITECOOKIEPATH ) 
     381        setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); 
     382} 
     383endif; 
     384 
     385if ( !function_exists('wp_clear_auth_cookie') ) : 
     386function wp_clear_auth_cookie() { 
     387    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 
     388    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 
     389 
     390    // Old cookies 
     391    setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 
     392    setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 
     393    setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 
     394    setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);   
    336395} 
    337396endif; 
     
    351410function auth_redirect() { 
    352411    // Checks if a user is logged in, if not redirects them to the login page 
    353     if ( (!empty($_COOKIE[USER_COOKIE]) && 
    354                 !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) || 
    355              (empty($_COOKIE[USER_COOKIE])) ) { 
     412    if ( (!empty($_COOKIE[AUTH_COOKIE]) && 
     413                !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || 
     414             (empty($_COOKIE[AUTH_COOKIE])) ) { 
    356415        nocache_headers(); 
    357416 
     
    380439        $current_name = ''; 
    381440        if ( ( $current = wp_get_current_user() ) && $current->ID ) 
    382             $current_name = $current->data->user_login; 
     441            $current_name = $current->user_login; 
    383442        if ( !$current_name ) 
    384443            die('-1'); 
    385444 
     445        $auth_cookie = ''; 
    386446        $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie 
    387447        foreach ( $cookie as $tasty ) { 
    388             if ( false !== strpos($tasty, USER_COOKIE) ) 
    389                 $user = substr(strstr($tasty, '='), 1); 
    390             if ( false !== strpos($tasty, PASS_COOKIE) ) 
    391                 $pass = substr(strstr($tasty, '='), 1); 
     448            if ( false !== strpos($tasty, AUTH_COOKIE) ) 
     449                $auth_cookie = substr(strstr($tasty, '='), 1); 
    392450        } 
    393451 
    394         if ( $current_name != $user || !wp_login( $user, $pass, true ) ) 
     452        if ( $current_name != $user || empty($auth_cookie) || !wp_validate_auth_cookie( $auth_cookie ) ) 
    395453            die('-1'); 
    396454    } 
     
    470528 
    471529    wp_redirect($location, $status); 
    472 } 
    473 endif; 
    474  
    475 if ( !function_exists('wp_get_cookie_login') ): 
    476 function wp_get_cookie_login() { 
    477     if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) ) 
    478         return false; 
    479  
    480     return array('login' => $_COOKIE[USER_COOKIE],  'password' => $_COOKIE[PASS_COOKIE]); 
    481 } 
    482  
    483 endif; 
    484  
    485 if ( !function_exists('wp_setcookie') ) : 
    486 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 
    487     $user = get_userdatabylogin($username); 
    488     if ( !$already_md5) { 
    489         $password = md5($user->user_pass); // Double hash the password in the cookie. 
    490     } 
    491  
    492     if ( empty($home) ) 
    493         $cookiepath = COOKIEPATH; 
    494     else 
    495         $cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' ); 
    496  
    497     if ( empty($siteurl) ) { 
    498         $sitecookiepath = SITECOOKIEPATH; 
    499         $cookiehash = COOKIEHASH; 
    500     } else { 
    501         $sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' ); 
    502         $cookiehash = md5($siteurl); 
    503     } 
    504  
    505     if ( $remember ) 
    506         $expire = time() + 31536000; 
    507     else 
    508         $expire = 0; 
    509  
    510     setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN); 
    511     setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN); 
    512  
    513     if ( $cookiepath != $sitecookiepath ) { 
    514         setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN); 
    515         setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN); 
    516     } 
    517 } 
    518 endif; 
    519  
    520 if ( !function_exists('wp_clearcookie') ) : 
    521 function wp_clearcookie() { 
    522     setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 
    523     setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 
    524     setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 
    525     setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 
    526530} 
    527531endif; 
     
    693697function wp_salt() { 
    694698    $salt = get_option('secret'); 
    695     if ( empty($salt) ) 
    696         $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 
    697  
    698     return $salt; 
     699    if ( empty($salt) ) { 
     700        $salt = wp_generate_password(); 
     701        update_option('secret', $salt); 
     702    } 
     703 
     704    if ( !defined('SECRET_KEY') || '' == SECRET_KEY ) 
     705        $secret_key = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 
     706    else 
     707        $secret_key = SECRET_KEY; 
     708         
     709    return $salt . $secret_key; 
    699710} 
    700711endif; 
     
    759770} 
    760771endif; 
     772 
     773// Deprecated. Use wp_set_auth_cookie() 
     774if ( !function_exists('wp_setcookie') ) : 
     775function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 
     776    $user = get_userdatabylogin($username); 
     777    wp_set_auth_cookie($user->ID, $remember); 
     778} 
     779endif; 
     780 
     781// Deprecated. Use wp_clear_auth_cookie() 
     782if ( !function_exists('wp_clearcookie') ) : 
     783function wp_clearcookie() { 
     784    wp_clear_auth_cookie(); 
     785} 
     786endif; 
     787 
     788// Deprecated.  No alternative. 
     789if ( !function_exists('wp_get_cookie_login') ): 
     790function wp_get_cookie_login() { 
     791    return false; 
     792} 
     793endif; 
     794 
    761795?> 
  • trunk/wp-includes/registration.php

    r6350 r6387  
    168168    if ( $current_user->id == $ID ) { 
    169169        if ( isset($plaintext_pass) ) { 
    170             wp_clearcookie(); 
    171             wp_setcookie($userdata['user_login'], $plaintext_pass); 
     170            wp_clear_auth_cookie(); 
     171            wp_set_auth_cookie($ID); 
    172172        } 
    173173    } 
  • trunk/wp-login.php

    r6385 r6387  
    289289    $user_login = ''; 
    290290    $user_pass = ''; 
    291     $using_cookie = FALSE; 
    292291 
    293292    if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) 
     
    297296 
    298297    if ( $http_post ) { 
     298        // If cookies are disabled we can't log in even with a valid user+pass 
     299        if ( empty($_COOKIE[TEST_COOKIE]) ) 
     300            $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 
     301         
    299302        $user_login = $_POST['log']; 
    300303        $user_login = sanitize_user( $user_login ); 
    301304        $user_pass  = $_POST['pwd']; 
    302305        $rememberme = $_POST['rememberme']; 
     306 
     307        do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 
    303308    } else { 
    304         $cookie_login = wp_get_cookie_login(); 
    305         if ( ! empty($cookie_login) ) { 
    306             $using_cookie = true; 
    307             $user_login = $cookie_login['login']; 
    308             $user_pass = $cookie_login['password']; 
    309         } 
    310     } 
    311  
    312     do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 
    313  
    314     // If cookies are disabled we can't log in even with a valid user+pass 
    315     if ( $http_post && empty($_COOKIE[TEST_COOKIE]) ) 
    316         $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 
     309        $user = wp_validate_auth_cookie(); 
     310        if ( !$user ) { 
     311            $errors['expiredsession'] = __('Your session has expired.'); 
     312        } else { 
     313            $user = new WP_User($user); 
     314 
     315            // If the user can't edit posts, send them to their profile. 
     316            if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 
     317                $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 
     318            wp_safe_redirect($redirect_to); 
     319            exit(); 
     320        } 
     321    } 
    317322 
    318323    if ( $user_login && $user_pass && empty( $errors ) ) { 
     
    323328            $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 
    324329 
    325         if ( wp_login($user_login, $user_pass, $using_cookie) ) { 
    326             if ( !$using_cookie ) 
    327                 wp_setcookie($user_login, $user_pass, false, '', '', $rememberme); 
     330        if ( wp_login($user_login, $user_pass) ) { 
     331            wp_set_auth_cookie($user->ID, $rememberme); 
    328332            do_action('wp_login', $user_login); 
    329333            wp_safe_redirect($redirect_to); 
    330334            exit(); 
    331         } else { 
    332             if ( $using_cookie ) 
    333                 $errors['expiredsession'] = __('Your session has expired.'); 
    334335        } 
    335336    } 
  • trunk/wp-settings.php

    r6325 r6387  
    187187 
    188188if ( !defined('USER_COOKIE') ) 
    189     define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH); 
     189    define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH); 
    190190if ( !defined('PASS_COOKIE') ) 
    191     define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH); 
     191    define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH); 
     192if ( !defined('AUTH_COOKIE') ) 
     193    define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH); 
    192194if ( !defined('TEST_COOKIE') ) 
    193195    define('TEST_COOKIE', 'wordpress_test_cookie'); 
Note: See TracChangeset for help on using the changeset viewer.