WordPress MU

Hello,
I have a real security issue. I have a wordpress mu installed and running. My issue is that a user steals a cookie from another user, he has full contorl of the blog.

I want to limit the cookie for the user IP and check everytime if the user ip is the same with the one from the cookie.

Thank you,
gibi

Hi gibidi,

It isn't recommended to check the user's IP address, because some ISPs (eg AOL) change a user's IP address on almost every page load.

Generally the best thing you can do is check the visitor's user agent, as this shouldn't change between page requests.

James

Hi, the site is not for the AOL users.
It is a big issue for me. I need to set the cookie for the user IP.
If you know any plugin or where I can modify the login where the cookie is set, please help.

Thank you,
gibidi

Any ideeas?

How would the cookie be stolen? Is your site on a LAN? Perhaps you should look into using HTTPS instead? That would protect your user's cookies with encryption.

What James said doesn't just apply to AOL users. Your average cable user may have their IP change every month, and with dialup it can be changed every day. I don't see what the security issue is here, as cookies are set for any login based site. If you want the cookies encrypted, get an SSL certificate and use https:// for login like donncha suggests.

you really don't get it.
To steal a cookie is really pretty easy for almost anybody.

Doesn't matter if they are AOL users, cable users ... they only need to relogin when the IP is changed.

I live in romania and the web security must be as stong as possible.

I'm not going to get a SSL certificate just for this.
The solution is easy... just to make the cookie based on the user's IP and check every time if the cookie is for that IP.