Security Hole with generate_auth_cookie

  • louisfok

    (@louisfok)


    8 years ago

    I believe there’s a big security hole with the generate_auth_cookie call since username and password should never be passed as arguments because anyone can sniff the traffic. Is there going to be a fix to accept HTTP POST request for username and password? I believe it’s much more secured when sites are using HTTP POST and SSL enabled. Thanks.

    https://wordpress.org/plugins/json-api-user/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Ali Qureshi

    (@parorrey)

    8 years ago

    Version upgraded to 2.3 to add both support for POST method and SSL requirement.

    You can still bypass SSL requirement by passing insecure=cool.
    Also updated ‘generate_auth_cookie’ endpoint to allow cookie generation using both username or email account with password.

    And you are welcome. 🙂

    Thread Starter louisfok

    (@louisfok)

    8 years ago

    Thanks!
    Getting SSL working is awesome since the traffic is secured. I also think it’ll be further improved if the controller can accept “json request body” for the POST method instead of using username, password as url parameters like
    “generate_auth_cookie/?username=john&password=PASSWORD-HERE”

    E.g.
    HTTP POST
    http://localhost/api/user/generate_auth_cookie/
    Request Body:
    {
    “username” : “john”,
    “password” : “PASSWORD-HERE”
    }

    Reference:
    http://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl

    Plugin Author Ali Qureshi

    (@parorrey)

    8 years ago

    that’s a good suggestion too & I was considering it for some time.. I will enable it in a day or two.

    Don’t forget to review & rate the plugin.

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security Hole with generate_auth_cookie’ is closed to new replies.