WordPress.org

Make WordPress Core

Opened 9 years ago

Last modified 4 years ago

#20276 closed task (blessed)

Tie nonces to the current session — at Initial Version

Reported by: ryan Owned by:
Milestone: 4.0 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Owasp specifies that "the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session." Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Change History (0)

Note: See TracTickets for help on using tickets.