As WordPress does not store sessions and so cannot check against a list of known sessions (instead sessions are checked solely based on a cookie), the risk of session attacks (via e.g. cookie theft) is important. At that point Google Authenticator doesn’t help, as it is invoked on authenticate.
To what extend would it be possible for this plugin to try to mitigate that … security risk by hooking into the session validation logic and checking against known Google Authenticator authenticated sessions?
- The topic ‘protecting against session attacks?’ is closed to new replies.