WordPress.org
Get WordPress

Plugin Directory

Changeset 551913


Ignore:
Timestamp:
06/01/2012 05:08:56 PM (14 years ago)
Author:
johanee
Message:

Tag version 1.7.1. Fix auth cookie clearing during lockout

Location:
limit-login-attempts/tags/1.7.1
Files:
2 edited
1 copied

Legend:

Unmodified
Added
Removed

  • limit-login-attempts/tags/1.7.1/limit-login-attempts.php

    r546512 r551913  
    77  Author URI: http://devel.kostdoktorn.se
    88  Text Domain: limit-login-attempts
    9   Version: 1.7.0
     9  Version: 1.7.1
    1010
    1111  Copyright 2008 - 2012 Johan Eenfeldt
     
    8686 */
    8787
    88 add_action('init', 'limit_login_setup');
     88add_action('plugins_loaded', 'limit_login_setup', 99999);
    8989
    9090
     
    103103    add_action('wp_login_failed', 'limit_login_failed');
    104104    if (limit_login_option('cookies')) {
    105         add_action('plugins_loaded', 'limit_login_handle_cookies', 99999);
     105        limit_login_handle_cookies();
    106106        add_action('auth_cookie_bad_username', 'limit_login_failed_cookie');
    107107
     
    240240
    241241/*
    242  * Action: called in plugin_loaded (really early) to make sure we do not allow
     242 * Must be called in plugin_loaded (really early) to make sure we do not allow
    243243 * auth cookies while locked out.
    244244 */

  • limit-login-attempts/tags/1.7.1/readme.txt

    r546524 r551913  
    44Requires at least: 2.8
    55Tested up to: 3.3.2
    6 Stable tag: 1.7.0
     6Stable tag: 1.7.1
    77
    88Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
     
    83833. Administration interface in WordPress 3.0.4
    8484
     85== Upgrade Notice ==
     86
     87= 1.7.1 =
     88Users of version 1.6.2 and 1.7.0 should upgrade immediately. There was a problem with "auth cookie" lockout enforcement. Lockout of normal password login attempts still worked as it should. Please see plugin Changelog for more information.
     89
    8590== Changelog ==
     91
     92= 1.7.1 =
     93This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.
     94
     95"Auth cookies" are special cookies set at login that authenticating you to the system. It is how WordPress "remembers" that you are logged in between page loads.
     96
     97During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.
     98
     99Lockout of normal password login attempts still worked as it should, and it appears that all "auth cookie" attempts would keep getting logged.
     100
     101In theory the "auth cookie" is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.
    86102
    87103= 1.7.0 =
Note: See TracChangeset for help on using the changeset viewer.