Comments on: Safer Cookies Plugin For WordPress

By: White Shadow

White Shadow — Thu, 03 Sep 2009 09:48:09 +0000

It’s possible, but that would be a whole new plugin.

By: Pikipik

Pikipik — Thu, 03 Sep 2009 04:56:30 +0000

The Plugins work fine, i want to ask : is it possible to make Only one login at one session base on cookies.

prevent multiple login from different IP on membership artcile / blog

Thanks

By: White Shadow

White Shadow — Tue, 23 Jun 2009 10:18:47 +0000

Try clearing your cookies.

By: tom

tom — Tue, 23 Jun 2009 04:17:36 +0000

when i deactivated this plugin, my admin page doesnt show anymore. it’s just a blank page.

By: Shane

Shane — Wed, 10 Jun 2009 18:56:50 +0000

This is nonsense.

Liu’s paper is nonsense as well.

1.) It states clearly that the most prominent vulnerability for replay attacks in Fu’s protocol (the one they purportedly deprecate) is an attacker obtaining the SSL Session key via various methods (albeit not simple ones), but then goes on to state that their ‘fix’ for this issue was simply to include the SSL session key in the HMAC of the cookie, which is useless fluff if the attacker can obtain the SSL session key (as they state is a very real possibility just a paragraph before). See section 2.3 (Problem II: Replay Attacks) in Liu’s paper.

2.) SSL Session keys can, and do, get re-negotiated at arbitrary times both by the client and the server, rendering this nearly useless as an authenticated session scheme. The client will effectively be logged off for (as far as he/she knows) no apparent reason and at random times. Setting a higher cache/timeout times for the keys in Apache or similar will also be ineffective because that is simply a top-shelf suggestion, and not a static timeout requirement.

As for tying a cookie to an IP address, that is simply idiotic. Not only are IP addresses incredibly simple to spoof, many (if not a huge) amount of legitimate users are routed through rotating proxies, NATs, gateways, et al. Not to mention TOR users (or similar) who’s IP address will change with nearly every request.

An IP address is not a unique identifier, nor is the User Agent string. They can not be relied upon.

Frankly, nearly any attempt to ’secure’ a cookie-based authentication scheme against replay attacks is moot. The flaw is in the protocol itself, it’s stateless. Until there is a way for a client to sign or alter their cookies in some way prior to being sent to the server, there will always be holes in any cookie-based authentication scheme. Using SSL is a step-above, but still just as vulnerable. The cookies are stored in the clear on the user’s hard-drive, so SSL-only cookies simply prevent (well, not ‘prevent’, simply increase the difficulty of) man-in-the-middle attacks.

Sorry to say it, but your scheme is about as naive as they come. Which isn’t to say that there are many better solutions, but don’t think you’re fireproof or something. Your scheme is a script-kiddies dream, even more so when you mistakenly think that it’s somehow secure.

By: Another ‘How To Guide’ for securing WordPress: How to protect your WordPress installation and recover if your website is hacked.,How-To-Guides, Mac, WordPress, blogging, domains, online tools, productivity, security, software, web | MileHighTe

Tue, 09 Jun 2009 22:52:38 +0000

[...] Safer Cookie (rated 8 out of 10): Ties the WordPress session cookie to the user’s IP address which ensures the cookie can’t be used to access the admin panel from another computer. [...]

By: Vito Botta

Vito Botta — Sun, 03 May 2009 11:02:47 +0000

I agree with White Shadow.
Don’t get me wrongly, but this plugin sounds useless.
The situations in which you risk to get your cookies stolen and used for replay attacks, are those situations in which you share your IP address with other users. Workplace, Internet cafes, public wifi networks, etc. If somebody gets hold of your cookies while sharing your IP address, (s)he would anyway be able to use it because your plugin would allow it.
A “proper” secure, cookie protocol would IMO require much bigger effort.
There are various methods, but if I may I’d suggest to look at this white paper which exposes a number of known methods, and then proposes a better approach (which I use when developing my applications):
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

By: Wordpress inpenetrabil . | azrael-sub7 personal blog

Wordpress inpenetrabil . | azrael-sub7 personal blog — Sat, 14 Feb 2009 12:01:35 +0000

[...] Legati cookie-urile de ip folosind Safer cookies [...]

By: Safer Cookies

Safer Cookies — Fri, 30 Jan 2009 18:56:06 +0000

[...] will create a session cookie that is used to authenticate you. If someone was to steal the …..read more Download Plugin! Version 1.1 Last Updated: July 27, 2008 [...]

By: Time Synchronisation

Time Synchronisation — Wed, 10 Dec 2008 11:13:52 +0000

This plugin is ace