A few weeks ago I spent some time strolling through the WordPress authentication code, trying to come up with the best way to wrap it with SSL. In conclusion? It can be wrapped, and it seems like it might even be secure if the password and session cookies are only sent and honored over SSL connections.
The session cookie mechanism used in WordPress 1.5 was written from scratch, and suffers problems that the PHP session APIs were meant to solve. It sets two cookies:
wordpressuser_{HASH} = {USERNAME}
wordpresspass_{HASH} = {PWHASH}
The {HASH} is generated from the configured site URL. The {USERNAME} is the plain-text user name. The {PWHASH} is the truly heinous part -- it can be either:
- The MD5 hash of the password.
- The MD5 hash of the MD5 hash of the password.
The cookie checker just compares the value of the password cookie with the MD5 hash of the user's password stored in the database. This makes the MD5 hash of the password just as valuable as the plain-text version. This also means that if the pair of session cookies is ever intercepted, it can be installed into a malicious user's browser unaltered and used to authenticate against the original WordPress site.
If WordPress instead used the PHP session APIs, it might be just as easy to hijack, but its session cookies wouldn't give away anything so permanent, and would expire on the server side after some period of time.
WordPress isn't the easiest package to use. I'm unimpressed with its messy internals, its chaotic landscape of useless 3rd party plugins, and lack of a built-in photo management tool. I'm very seriously investigating Drupal as a replacement.
Indeed, what else is there to blog about but blogging itself!
Filed Under:
- Login to post comments