Safer Cookies Plugin For WordPress

As you might know, when you log in to a WordPress blog a session cookie is created that serves as a kind of authentication “key”. This is what lets you stay logged in and access various areas of the dashboard without having to enter your password every time. However, if a hacker was to get this cookie from your computer – e.g. via some kind of cross-site attack – he would be able to use it to get into your blog.

Safer Cookies is a WordPress plugin that ties the session cookie to the user’s IP address, which ensures the cookie can’t be used to access the admin panel from another computer. Use it to make your blog more secure and resistant to hackers. It’s easy – the plugin functions in a “set and forget” manner, just activate it and enjoy 🙂

Download Plugin

safer-cookies.zip (1 KB)
Requirements : WP 2.5+

You will need to log in again after you activate this plugin. This is normal and shows that the plugin is working. On the other hand, you probably shouldn’t use this plugin if your IP address changes very often, as you’ll need to log in anew every time that happens.

Related posts :

29 Responses to “Safer Cookies Plugin For WordPress”

  1. underworld says:

    Good plugin if you use static ip’s!

    WordPress is one of the high risk cookies I would say – due to its popularity its one
    that is likely to be looked for!

  2. White Shadow says:

    Yeah, I was pretty surprised it hasn’t been implemented in WP core years ago. With the popularity of WordPress security must surely be one of the main concerns.

  3. underworld says:

    They would rather turn functions offf than fix them for security it would seem since their recent xmlrpc action!

  4. White Shadow says:

    Indeed, that “solution” is a bit questionable.

  5. underworld says:

    questionably annoying but really solving nothing! ah well this is life for big corps these days!

  6. Philix says:

    This is a realy nice plugin

  7. Poojan Wagh says:

    Excellent plug-in. I was actually looking for an answer to see if WP 2.6+ restricts/cookies cookies by IP addresses. I guess not. Thanks for the plugin!

  8. patrick says:

    Hi,
    thanks for your plugin,
    how does it work when 2 users (or more) access through the same internetconnection (with NAT) to the blog. Is the other able to steal my cookie an login?

    Greets Patrick

  9. White Shadow says:

    Yes, I think that would be theoretically possible, i.e. the external IP that WordPress sees would be the same for both users.

  10. Time Synchronisation says:

    This plugin is ace

  11. Vito Botta says:

    I agree with White Shadow.
    Don’t get me wrongly, but this plugin sounds useless.
    The situations in which you risk to get your cookies stolen and used for replay attacks, are those situations in which you share your IP address with other users. Workplace, Internet cafes, public wifi networks, etc. If somebody gets hold of your cookies while sharing your IP address, (s)he would anyway be able to use it because your plugin would allow it.
    A “proper” secure, cookie protocol would IMO require much bigger effort.
    There are various methods, but if I may I’d suggest to look at this white paper which exposes a number of known methods, and then proposes a better approach (which I use when developing my applications):
    http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

  12. […] Safer Cookie (rated 8 out of 10):  Ties the WordPress session cookie to the user’s IP address which ensures the cookie can’t be used to access the admin panel from another computer. […]

  13. Shane says:

    This is nonsense.

    Liu’s paper is nonsense as well.

    1.) It states clearly that the most prominent vulnerability for replay attacks in Fu’s protocol (the one they purportedly deprecate) is an attacker obtaining the SSL Session key via various methods (albeit not simple ones), but then goes on to state that their ‘fix’ for this issue was simply to include the SSL session key in the HMAC of the cookie, which is useless fluff if the attacker can obtain the SSL session key (as they state is a very real possibility just a paragraph before). See section 2.3 (Problem II: Replay Attacks) in Liu’s paper.

    2.) SSL Session keys can, and do, get re-negotiated at arbitrary times both by the client and the server, rendering this nearly useless as an authenticated session scheme. The client will effectively be logged off for (as far as he/she knows) no apparent reason and at random times. Setting a higher cache/timeout times for the keys in Apache or similar will also be ineffective because that is simply a top-shelf suggestion, and not a static timeout requirement.

    As for tying a cookie to an IP address, that is simply idiotic. Not only are IP addresses incredibly simple to spoof, many (if not a huge) amount of legitimate users are routed through rotating proxies, NATs, gateways, et al. Not to mention TOR users (or similar) who’s IP address will change with nearly every request.

    An IP address is not a unique identifier, nor is the User Agent string. They can not be relied upon.

    Frankly, nearly any attempt to ‘secure’ a cookie-based authentication scheme against replay attacks is moot. The flaw is in the protocol itself, it’s stateless. Until there is a way for a client to sign or alter their cookies in some way prior to being sent to the server, there will always be holes in any cookie-based authentication scheme. Using SSL is a step-above, but still just as vulnerable. The cookies are stored in the clear on the user’s hard-drive, so SSL-only cookies simply prevent (well, not ‘prevent’, simply increase the difficulty of) man-in-the-middle attacks.

    Sorry to say it, but your scheme is about as naive as they come. Which isn’t to say that there are many better solutions, but don’t think you’re fireproof or something. Your scheme is a script-kiddies dream, even more so when you mistakenly think that it’s somehow secure.

  14. tom says:

    when i deactivated this plugin, my admin page doesnt show anymore. it’s just a blank page.

  15. White Shadow says:

    Try clearing your cookies.

  16. Pikipik says:

    The Plugins work fine, i want to ask : is it possible to make Only one login at one session base on cookies.

    prevent multiple login from different IP on membership artcile / blog

    Thanks

  17. White Shadow says:

    It’s possible, but that would be a whole new plugin.

  18. Bill says:

    I hope that I am mistaken, but I don’t believe that the plug-in is working with version WordPress 2.8.6.

    When I activate it as an admin in version 2.8, I am logged out and have to log in again, but when I activate it in version 2.8.6, I am not logged out and I am still able to use cookie information from another machine to change who I am logged in as.

    Again, I hope it is just user error, but as you have said, it is pretty simple to use, and has always worked in the past.

  19. White Shadow says:

    Still works for me on 2.8.6 (and the current dev. snapshot of 2.9).

    However, I looked at the WP source code and it seems that the authentication algorithms have changed (very) slightly, maybe that’s tripping up the plugin in your case. I’ll upload an update that integrates the algorithm changes; perhaps that’ll help.

  20. Bill says:

    Found my issue. The site where I was testing the new version also had the “Admin SSL” plugin activated and that trumped the safer cookies plug-in.

    Thanks for the help.

Leave a Reply