The MU forums have moved to

Cookie PHPSESID - limit cookie for the user IP (7 posts)

  1. gibidi
    Posted 14 years ago #

    I have a real security issue. I have a wordpress mu installed and running. My issue is that a user steals a cookie from another user, he has full contorl of the blog.

    I want to limit the cookie for the user IP and check everytime if the user ip is the same with the one from the cookie.

    Thank you,

  2. jamescollins
    Posted 14 years ago #

    Hi gibidi,

    It isn't recommended to check the user's IP address, because some ISPs (eg AOL) change a user's IP address on almost every page load.

    Generally the best thing you can do is check the visitor's user agent, as this shouldn't change between page requests.


  3. gibidi
    Posted 14 years ago #

    Hi, the site is not for the AOL users.
    It is a big issue for me. I need to set the cookie for the user IP.
    If you know any plugin or where I can modify the login where the cookie is set, please help.

    Thank you,

  4. gibidi
    Posted 14 years ago #

    Any ideeas?

  5. donncha
    Key Master
    Posted 14 years ago #

    How would the cookie be stolen? Is your site on a LAN? Perhaps you should look into using HTTPS instead? That would protect your user's cookies with encryption.

  6. MrBrian
    Posted 14 years ago #

    What James said doesn't just apply to AOL users. Your average cable user may have their IP change every month, and with dialup it can be changed every day. I don't see what the security issue is here, as cookies are set for any login based site. If you want the cookies encrypted, get an SSL certificate and use https:// for login like donncha suggests.

  7. gibidi
    Posted 13 years ago #

    you really don't get it.
    To steal a cookie is really pretty easy for almost anybody.

    Doesn't matter if they are AOL users, cable users ... they only need to relogin when the IP is changed.

    I live in romania and the web security must be as stong as possible.

    I'm not going to get a SSL certificate just for this.
    The solution is easy... just to make the cookie based on the user's IP and check every time if the cookie is for that IP.

About this Topic