Login Cookies TOO Secure

  • cmarshall

    (@cmarshall)


    16 years, 8 months ago

    Okay, this was driving me nuts (actually, it’s more of a short putt *<:o)

    I wrote this kewl plugin to transmogrify the siteurl requests to my localhost/test VM:

    function test_localhosts( $ret )
    {
    if ( preg_match ( '|10\.211\.55\.2|', $_SERVER['SERVER_ADDR'] ) )
        {
        $ret = "http://10.211.55.2/~cmarshall/littlegreenviper.com/public_html/main";
        }
    elseif ( preg_match ( '|127\.0\.0\.1|', $_SERVER['SERVER_ADDR'] ) || preg_match ( '|localhost|', $_SERVER['REQUEST_URI'] ) )
        {
        $ret = "http://localhost/~cmarshall/littlegreenviper.com/public_html/main";
        }
    return $ret;
    }

add_filter ( 'pre_option_home', 'test_localhosts', 0, 1 );
add_filter ( 'pre_option_siteurl', 'test_localhosts', 0, 1 );
add_filter ( 'bloginfo_url', 'test_localhosts', 0, 1 );

    However, it will never let me log in as an admin. I finally figured out that the COOKIE_HASH was stinky.

    This is because COOKIE_HASH does a get_info(‘siteurl’) BEFORE the plugins are applied, yet the comparison is done AFTER they are applied.

    This is very, very annoying. Is there the slightest chance that we could figure out a way to make the COOKIE_HASH chill when I am running this on a test server?

    Thanks.

Viewing 1 replies (of 1 total)
  • Thread Starter cmarshall

    (@cmarshall)

    16 years, 8 months ago

    er, that’s “COOKIEHASH”.

    The file in question is wp-settings.php.

    The offending section is this one:

    if (strpos($_SERVER['PHP_SELF'], 'install.php') === false) {
    // Used to guarantee unique hash cookies
    $cookiehash = md5(get_option('siteurl'));
	define('COOKIEHASH', $cookiehash);
}

if ( !defined('USER_COOKIE') )
	define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
if ( !defined('PASS_COOKIE') )
	define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
if ( !defined('COOKIEPATH') )
	define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('home') . '/' ) );
if ( !defined('SITECOOKIEPATH') )
	define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('siteurl') . '/' ) );
if ( !defined('COOKIE_DOMAIN') )
	define('COOKIE_DOMAIN', false);

    This calls get_option('siteurl') and get_option('home'). However, the plugins have not yet been scanned for their add_filter() calls, so the intercepted calls are not made.

    It may be as simple as moving the above section to below this section:

    if ( get_option('active_plugins') ) {
	$current_plugins = get_option('active_plugins');
	if ( is_array($current_plugins) ) {
		foreach ($current_plugins as $plugin) {
			if ('' != $plugin && file_exists(ABSPATH . PLUGINDIR . '/' . $plugin))
				include_once(ABSPATH . PLUGINDIR . '/' . $plugin);
		}
	}
}

    But I’m not so sure about that. Some of the plugins may need the constants above defined.

Viewing 1 replies (of 1 total)
  • The topic ‘Login Cookies TOO Secure’ is closed to new replies.