WordPress.org

Ready to get started?Download WordPress

Forums

Google Authenticator
[resolved] protecting against session attacks? (2 posts)

  1. futtta
    Member
    Posted 1 year ago #

    As WordPress does not store sessions and so cannot check against a list of known sessions (instead sessions are checked solely based on a cookie), the risk of session attacks (via e.g. cookie theft) is important. At that point Google Authenticator doesn't help, as it is invoked on authenticate.

    To what extend would it be possible for this plugin to try to mitigate that ... security risk by hooking into the session validation logic and checking against known Google Authenticator authenticated sessions?

    More info: http://blog.spiderlabs.com/2013/04/jamming-with-wordpress-sessions.html

    http://wordpress.org/extend/plugins/google-authenticator/

  2. Henrik Schack
    Member
    Plugin Author

    Posted 1 year ago #

    Looks like the use of SSL would be the easy way to fix this doesn't it ?

    Best regards
    Henrik Schack

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic