Is this a security vulnerability?

  • Resolved TWD

    (@twd)


    3 years, 4 months ago

    When I look at the generated Cookie policy page I see entries like this:

    wordpress_sec_07f962ac975d8db4sd5a376zaf7d04a5
    wordpress_logged_in_07b852jc936d8db4pd5a376aay4d84a5

    Is this a security vulnerability?
    I mean could someone use this information to engineer a login?

    Yes or no?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor jarnovos

    (@jarnovos)

    Hi @twd,

    No, this is not a security vulnerability. The names of these Cookies can not be used to obtain a login.

    Please also see the explanation of these Cookies as per the WordPress Codex:

    “On login, wordpress uses the wordpress_[hash] cookie to store your authentication details. It’s use is limited to the admin console area, /wp-admin/

    After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you’re logged in, and who you are, for most interface use.”

    Furthermore, WordPress cookies that are only set when visiting the /wp-admin/ part of the site will be hidden from the Cookie Policy as they are not relevant to visitors on the front-end.

    Please let me know if you have any further questions about this.

    Kind regards,
    Jarno

    Plugin Contributor Leon Wimmenhoeve

    (@leonwimmenhoeve)

    Hi @twd,

    No, this is not a security vulnerability. The names of these Cookies can not be used to obtain a login.

    Please also see the explanation of these Cookies as per the WordPress Codex:

    “On login, wordpress uses the wordpress_[hash] cookie to store your authentication details. It’s use is limited to the admin console area, /wp-admin/

    After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you’re logged in, and who you are, for most interface use.”

    Furthermore, WordPress cookies that are only set when visiting the /wp-admin/ part of the site will be hidden from the Cookie Policy as they are not relevant to visitors on the front-end.

    Please let me know if you have any further questions about this.

    Kind regards,
    Leon

    Plugin Contributor Leon Wimmenhoeve

    (@leonwimmenhoeve)

    Hi @twd,

    No, Please also see the explanation of these Cookies as per the WordPress Codex:

    “On login, wordpress uses the wordpress_[hash] cookie to store your authentication details. It’s use is limited to the admin console area, /wp-admin/

    After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you’re logged in, and who you are, for most interface use.”

    Furthermore, WordPress cookies that are only set when visiting the /wp-admin/ part of the site will be hidden from the Cookie Policy as they are not relevant to visitors on the front-end.

    Please let me know if you have any further questions about this.

    Kind regards,
    Leon

    Plugin Contributor Leon Wimmenhoeve

    (@leonwimmenhoeve)

    @twd In addition, the hashed part of the cookie name should be replaced by an asterisk. Please issue a new sync with cookiedatabase to enable this.

    Regards,
    Leon

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Is this a security vulnerability?’ is closed to new replies.