WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 2 years ago

#34041 new defect (bug) (maybelater)

Tying nonces to sessions breaks when users are switched

Reported by: westi Owned by:
Milestone: Future Release Priority: normal
Severity: major Version: 4.3
Component: Security Keywords: needs-patch
Focuses: Cc:

Description

Because of the way we have tied nonces to session tokens they are broken if you write code that follows the following pattern:

  • Code switches user using wp_set_current_user
  • Code generates a nonce
  • ...time happens
  • Nonce is verified for the switched user.

The underlying issue is that while we are switched to the different user we still generate nonces using the session token from the current logged in users cookie.

This is because wp_get_session_token only checks the cookie and either gives you back a token for the cookie or an empty string.

This also means if you are authenticating by an alternative method and not setting cookies - say OAuth Authorization headers - then your nonces don't get session tokens in them at all.

Change History (6)

#1 @DrewAPicture
6 years ago

  • Summary changed from Tieing nonces to sessions breaks when users are switched to Tying nonces to sessions breaks when users are switched

This ticket was mentioned in Slack in #core by sam. View the logs.
6 years ago

This ticket was mentioned in Slack in #core by helen. View the logs.
6 years ago

#4 @helen
6 years ago

  • Milestone changed from 4.3.2 to Future Release

Crickets.

#5 @westi
6 years ago

  • Severity changed from normal to major

Bitten by this again today.

#7 @iandunn
3 years ago

  • Resolution set to maybelater

Switching from wontfix to maybelater, since that's more accurate.

xref: https://make.wordpress.org/core/2019/01/14/follow-up-on-recent-trac-bulk-edit/

Note: See TracTickets for help on using tickets.