WordPress.org

Make WordPress Core

Changes between Initial Version and Version 6 of Ticket #20276


Ignore:
Timestamp:
08/07/2013 02:29:17 PM (6 years ago)
Author:
duck_
Comment:

How should the new $token parameter be added to wp_generate_auth_cookie()? Currently it's just added in the middle. This is nicer, but not backwards compatible.

The best solution to this is probably going to be to have $token added as an optional fourth parameter. If it is not present then a session token will be generated automatically.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #20276

    • Property Cc scribu johnbillion juliobosk@… added
    • Property Summary changed from Tie nonces to the current session to Tie nonces and cookies to expirable sessions
    • Property Milestone changed from Future Release to 3.7
    • Property Keywords has-patch added
    • Property Type changed from defect (bug) to enhancement
  • Ticket #20276 – Description

    initial v6  
    1 Owasp specifies that "the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session." Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.
     1Authentication cookies are re-usable even after a user decides to explicitly logout. Cookies should be tied to an expirable session that can also be deleted upon logout.
     2
     3Also, nonce security can be improved by associating them with the same session information. Owasp specifies that "the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session." Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.
    24
    35https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet