Google Authenticator
[resolved] protecting against session attacks? (2 posts)

  1. Frank Goossens
    Posted 2 years ago #

    As WordPress does not store sessions and so cannot check against a list of known sessions (instead sessions are checked solely based on a cookie), the risk of session attacks (via e.g. cookie theft) is important. At that point Google Authenticator doesn't help, as it is invoked on authenticate.

    To what extend would it be possible for this plugin to try to mitigate that ... security risk by hooking into the session validation logic and checking against known Google Authenticator authenticated sessions?

    More info: http://blog.spiderlabs.com/2013/04/jamming-with-wordpress-sessions.html


  2. Henrik Schack
    Plugin Author

    Posted 2 years ago #

    Looks like the use of SSL would be the easy way to fix this doesn't it ?

    Best regards
    Henrik Schack

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Google Authenticator
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic