protecting against session attacks? | WordPress.org

Resolved Frank Goossens
(@futtta)

13 years ago

As WordPress does not store sessions and so cannot check against a list of known sessions (instead sessions are checked solely based on a cookie), the risk of session attacks (via e.g. cookie theft) is important. At that point Google Authenticator doesn’t help, as it is invoked on authenticate.

To what extend would it be possible for this plugin to try to mitigate that … security risk by hooking into the session validation logic and checking against known Google Authenticator authenticated sessions?

More info: http://blog.spiderlabs.com/2013/04/jamming-with-wordpress-sessions.html

http://wordpress.org/extend/plugins/google-authenticator/

Viewing 1 replies (of 1 total)

Henrik Schack
(@henrikschack)

13 years ago

Looks like the use of SSL would be the easy way to fix this doesn’t it ?

Best regards
Henrik Schack

Viewing 1 replies (of 1 total)

The topic ‘protecting against session attacks?’ is closed to new replies.

1 reply
2 participants
Last reply from: Henrik Schack
Last activity: 13 years ago
Status: resolved