WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #46130, comment 6


Ignore:
Timestamp:
01/29/2019 11:25:58 PM (16 months ago)
Author:
TimothyBlynJacobs
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #46130, comment 6

    initial v1  
    2626The cookie value is generated by `generate_recovery_mode_cookie()`. The majority of the security related functions are defined in `pluggable.php`. When we load `pluggable.php` in other calls, we can immediately `die()` or `wp_redirect`. Since we have to validate this cookie on every page load, those functions aren't an option.
    2727
    28 After discussing with @aaroncampbell, it looked like making a version of `wp_salt` that has its own fallbacks for invalid salts was a variable option.
     28After discussing with @aaroncampbell, it looked like making a version of `wp_salt` that has its own fallbacks for invalid salts was a viable option.
    2929
    3030A separate function, `recovery_mode_hash()` is introduced that performs a `hash_hmac` specific to recovery mode. This tries to use the `AUTH_KEY` and `AUTH_SALT` values, but if they aren't available, it will load `pluggable.php` and then generate random values and store them to site options, similarly to `wp_salt()`.