sessions vs. cookies

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

sessions vs. cookies

John Joseph Bachir-2
(starting a new thread to keep things tiddy)

>> (as an aside, why is authentication done directly with cookies instead
>> of with sessions?)

> Protecting session ids is a chore, they're sent back and forth on each
> request, and anybody who manages to steal one now has full access as a
> user. The only way sessions can be more secure than cookies is if its
> all done over SSL, something that is not an option for the everday blog

Isn't it currently the case that the double-hashed password is sent on
every request, and anyone who manages to steal it has full access as a
user?

John
----
aim/yim/msn/jabber.org: johnjosephbachir
713.494.2704
irc://irc.freenode.net/lyceum
http://lyceum.ibiblio.org/
http://blog.johnjosephbachir.org/

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: sessions vs. cookies

Matt Mullenweg
John Joseph Bachir wrote:
> Isn't it currently the case that the double-hashed password is sent on
> every request, and anyone who manages to steal it has full access as a
> user?

Correct. Just as anyone who steals a session token has access to that
user's session.

In several years, I have not heard about anyone getting their cookie
stolen and having their blog messed with, even though this is a pretty
trivial hack theoretically.

For blogs with heightened security requirements I'd recommend the
secure-admin[1] plugin, which encrypts everything and puts the sensitive
bits under a SSL-only cookie. However for most people, including myself,
this would be overkill.

[1] http://downloads.wordpress.org/plugin/secure-admin.zip
[1] http://dev.wp-plugins.org/browser/secure-admin/

--
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Loading...