WordPress MU

Hello,

When checking the authentication system in wordpress MU, I have realized that it sets the a cookie with a double hashed password. Anyone sniffing the net can catch the cookie and use it for get access authenticated as the user to wordpress since its value it's constant (the hash doesn't include any temporal information such as timestamp, client IP, random values, etc.). Another point is that the cookie has a expiration time too long.

Maybe I'm wrong in my impression, but I have fix the pluggable.php file to use php sessions instead (which solves btw the logout path problem). Anyone interested on it ?

Tomás

I believe the reason that cookies are used is that in a large scale system (such as WordPress.com), when doing load balancing, especially round robin style, using cookies only keeps the state at the client level, avoiding the need to replicate session files across servers in a farm or having to buy a super expensive router that manages session state for you. I know Flickr does things in a similar fashion for this very reason.

Maybe adding the temporal information to the cookie creation would be a good idea (IP, UserAgent, Random Value, etc.) although some of these values are not reliable from request to request. You' have to be careful about which ones you chose. For the sake of simplicity and avoiding some of the pitfalls above the current mechanism may have been chosen.

mmm... sounds very reasonable, but adding at least a timestamp in the hash will increase a lot the security, so you can be sure the ticket (or cookie) cannot be use in future.

You should probably email Donncha privately about this.