Opened 9 years ago
Last modified 5 years ago
#34041 new defect (bug) (maybelater)
Tying nonces to sessions breaks when users are switched
Reported by: | westi | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | major | Version: | 4.3 |
Component: | Security | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Because of the way we have tied nonces to session tokens they are broken if you write code that follows the following pattern:
- Code switches user using wp_set_current_user
- Code generates a nonce
- ...time happens
- Nonce is verified for the switched user.
The underlying issue is that while we are switched to the different user we still generate nonces using the session token from the current logged in users cookie.
This is because wp_get_session_token only checks the cookie and either gives you back a token for the cookie or an empty string.
This also means if you are authenticating by an alternative method and not setting cookies - say OAuth Authorization headers - then your nonces don't get session tokens in them at all.
Change History (6)
#1
@
9 years ago
- Summary changed from Tieing nonces to sessions breaks when users are switched to Tying nonces to sessions breaks when users are switched
This ticket was mentioned in Slack in #core by sam. View the logs.
9 years ago
This ticket was mentioned in Slack in #core by helen. View the logs.
9 years ago
#7
@
6 years ago
- Resolution set to maybelater
Switching from wontfix
to maybelater
, since that's more accurate.
xref: https://make.wordpress.org/core/2019/01/14/follow-up-on-recent-trac-bulk-edit/
Crickets.