Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 6 years ago

#8212 closed defect (bug) (fixed)

generate/validate_auth_cookie doesn't always check scheme

Reported by: tellyworth Owned by:
Milestone: 2.7 Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:


When using wp_generate_auth_cookie() and wp_validate_auth_cookie() with one of the standard auth schemes (auth, secure_auth, logged_in), the cookie will correctly fail to validate if the wrong scheme is used:

		$cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth');
		$this->assertEquals( 1, wp_validate_auth_cookie($cookie, 'auth') ); // pass

		$cookie = wp_generate_auth_cookie(1, time() + 3600, 'auth');
		$this->assertEquals( false, wp_validate_auth_cookie($cookie, 'logged_in') ); // pass

However this is not the case when arbitrary auth schemes are used. The cookie will validate even if the scheme is incorrect.

		$cookie = wp_generate_auth_cookie(1, time() - 3600, 'foo');
		$this->assertEquals( false, wp_validate_auth_cookie($cookie, 'bar') ); // this should fail, but doesn't

The reason the built-in schemes work as expected is that they each use a unique salt. Arbitrary schemes all use the same salt (see wp_salt()).

NB: I don't believe this is a core security issue, but fixing it could prevent future problems.

Attachments (1)

unique-salt-r9678.patch (454 bytes) - added by tellyworth 12 years ago.

Download all attachments as: .zip

Change History (5)

#1 @tellyworth
12 years ago

unique-salt-r9678.patch fixes the problem by providing a fallback salt value that's unique to each auth scheme.

Unit tests are in http://svn.automattic.com/wordpress-tests/wp-testcase/test_includes_pluggable.php TestAuthFunctions. There's one failure before the patch, all pass afterwards.

I made a typo in one of the examples above (-3600 instead of +3600) but the unit tests in svn are correct.

#2 @ryan
12 years ago

  • Milestone changed from 2.8 to 2.7

#3 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [9680]) Provide fallback salt to accommodate custom schemes. Props tellyworth. fixes #8212

This ticket was mentioned in Slack in #wptv by arkonisus. View the logs.

6 years ago

Note: See TracTickets for help on using tickets.