cookies created in wordpress (latest)

Question

i just installed wordpress (the latest) and im trying to study wordpress to make my creations secure like wordpress does or to its level.

I noticed upon logging into wordpress, it created 3 cookies.

what I'm trying to figure out is - after logging into wordpress and after it created the cookies for the user. the hash values that are inserted into the cookie, how does that value authenticate who the user is? i matched the values stored in the cookie against the values stored in the databases table called wp_users and it doesn't match..

what i usually do when authenticating a user is upon registration is i'll have a column in a table say tbl_users called hash and the value that would go in this column would be a sha1 conversion of the user name (the user created upon registration). and upon logging in on a login page and after authenticating the user by checking if he exists in the db and so forth. I would create a cookie for that user. in the cookie i would insert the hash that existed in the db and store it in the cookie. that is how i tracked the user through the pages. anyone know how wordpress is doing it? or maybe im doing it the wrong way? i don't know..

thanks in advance.

Answer 1

If the user authentication hash is in a cookie then it could be read, and since it already matches what is in the database directly it could be used by anyone who knows how to look at the cookies. Wordpress applies a little bit of post-processing to the user hash, I think it's in wp_settings.php.

I think it combines the user hash with the unique key you write into one of the variables in wp_config.php. After that you have a unique key built up from something publicly available like the username hash or whatever it is and from something only available in the script ie. not publicly available. It's that combination which then matches what is in the db and authenticates the user.

Hope that makes sense. Some other people may be able to give you better advice about PHP security so you may want to make your question more general.

Answer 2

I would look at MD5 encryption and just try to validate in your wordPress db using that. I haven't tried it but I want to do the same thing.

Just a note to you. When I was faced with the same issue while creating web apps I avoided dealing with that and just decided to use wordpress as a wrapper for my apps. You can have the login direct to your chosen template which can be a PHP page so once inside you can do anything you like but your application will be protected by Wordpress and they update their security as things change. So far for me this has been a win win win arrangement.

I validate my users using wordPress itself. You can call functions that exist in Wordpress to verify who is logged in and using your app. You can then take advantages of everything wordpress has to offer. I love having PHPMyAdmin right inside the wordPress Admin panel. This has made my life incredibly easy recently and I don't have to worry about what I don't know about security. If your developing without a security expert this might be a great option for you. Let me know if you want to know more about how I'm setting it up.