WordPress.org

Ready to get started?Download WordPress

Forums

WordPress HTTPS (SSL)
Force SSL for Authenticated Users (2 posts)

  1. fommil
    Member
    Posted 2 years ago #

    Hi,

    I use the HTTP AUTH plugin to authenticate users and I ensure that this is only ever done over SSL (in my Apache conf files)

    However, WordPress then sets an "auth cookie" on the users browser which is used to authenticate the user for 2 weeks. The user can easily swap to HTTP mode and therefore an attacker could snoop the auth cookie and obtain login rights for that time period. IMHO, this is a fairly big security hole in WordPress in general (even for the default authentication mechanism).

    Could you please support an option in your plugin (or let me know a simple way how to implement it myself) so that WordPress only requests the auth cookie when the user is using HTTPS? (BTW, I do need to keep the HTTP version of the site up for normal visitors)

    Regards, Sam

    http://wordpress.org/extend/plugins/wordpress-https/

  2. fommil
    Member
    Posted 2 years ago #

    (I just realised that the title is perhaps misleading - it should be: "Only Authenticate SSL Users")

    PS: I'm not 100% sure about how it works, but I am assuming that the client will only send the cookie if requested to do so. If this assumption is false, then the better solution would be that the cookie is constructed in such a way that the client only sends the auth cookie when using SSL.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic