Force "wordpress_logged_in_HASH" cookie to be HTTPS-only?

capi81
(@capi81)

13 years, 1 month ago

Hi,

If I enable “Force SSL Administration”, wouldn’t it also be sensible to have the “wordpress_logged_in_HASH” cookie be set to “Secure”? Or maybe not have it set at all, as when using HTTPS, WordPress should fall back to “wordpress_sec_HASH”, as far as I understood the code.

Maybe add this as an option, as I am aware that I can’t be browsing the content of the site via HTTP as a logged-in user in this case.

As the auth-cookies of WordPress are known to be weak, I’d really like to prevent any of those cookies ever been sent via HTTP. Even if it is only me forgetting to log-out or loading some content (e.g. an image) via HTTP instead of HTTP from the domain.

Would be an important improvement, in my opinion.

Thanks for your consideration!

http://ww.wp.xz.cn/extend/plugins/wordpress-https/

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author mvied
(@mvied)

13 years, 1 month ago

Many people want to be logged into both so that when they visited their public site over HTTP, they still had admin features.

You’re actually the first person to ask and like most things that I consider adding to the plugin, I wait until somebody asks for it.

Do you also use Force SSL Exclusively? Perhaps the cookies could be set to secure if both settings were enabled. I think that’s reasonable and I wouldn’t have to add another checkbox to the settings. I like simple. Let me know what you think.
Thread Starter capi81
(@capi81)

13 years, 1 month ago
No, I don’t use Force SSL Exclusively, as visitors should be free to decide if they want to use HTTP or HTTPS.

I did some experiments with the cookies and it seems that the wordpress_logged_in_* alone cannot be used to access the administration, if the wordpress_logged_in_* is not set due the path restrictions of the secure cookie.

Still, the content of the wordpress_logged_in_* is the same evertime I log in, so I’d say it needs to be considered a credential which I would not want to be exposed via non-encrypted connections. What exactly can be accessed with the wordpress_logged_in? One seems to be able to preview unpublished articles, comment under the user’s name, what else?

Maybe it would be a workaround to simply unset the cookie after login and modify WordPress URL and Site-URL to the HTTPS variant when being viewed via HTTPS so that article preview, etc. use HTTPS instead of the HTTP version, which would require the cookie to be set.

Basically (I just tested it), the functionality is similar to the following addition to wp-config.php:
```
if ($_SERVER['HTTPS'] == "on") {
  define('WP_HOME','https://www.domain.com/blog');
  define('WP_SITEURL', 'https://www.domain.com/blog');
  setcookie('wordpress_logged_in_HASH', $_COOKIE["wordpress_logged_in_HASH"], 0, "/blog/", "www.domain.com", true, true);
  setcookie('wordpress_logged_in_HASH', "", time()-3600, "/blog/");
}
```
What is your opinion on my points above?
Thread Starter capi81
(@capi81)

13 years, 1 month ago

Well, actually my code-snippet above has some issues, e.g. it does not unset the cookie on log-out, but I think you get the point 🙂

Plugin Author mvied
(@mvied)

13 years, 1 month ago

I know what it would take to implement, I just don’t want to add another checkbox if I don’t have to. I’ll think on it.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Force "wordpress_logged_in_HASH" cookie to be HTTPS-only?’ is closed to new replies.

Tags