achieving login implementation without using sessions

It uses bare cookies and stores the login state information client side.

enter image description here

+

enter image description here

=

wordpress_7339a175323c25a8547b5a6d26c49afa=yourusername%7C1457109155%7C170f103ef3dc57cdb1835662d97c1e13;

Where do all these cookies and salt come from?

The salt is in your wp-config.php file:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

The unique phrases are used in a cryptographic hash function

The authentication cookie, the name of which is stored inside of AUTH_COOKIE, which is formed by concatenating “wordpress_” with the md5 sum of the siteurl set in default-constants.php. This is the default behavior and can be overridden from inside your configuration file, by setting up some of the constants upfront.

The authentication cookie a concatenation of the username, a timestamp until which the authentication cookie is valid., and an HMAC, which is sort of a key-biased hash for those who pulled of a TL;DR right now. The three variables are concatenated with the pipe character |.

Here is how the HMAC is constructed:

$hash = hash_hmac('md5', $username . '|' . $expiration, wp_hash($username . substr($user->user_pass, 8, 4) . '|' . $expiration, $scheme));

Is this secure?

According to this article where most of the information in this answer came from it would take a hacker about week to brute force in sending 30 requests a second if they knew what your unique phrase was and 200,000,000,000,000,000,000,000,000,000,000 times harder if your keys are unique.

Related Posts:

  1. PHP 7.2 – Warning: count(): Parameter must be an array or an object that implements Countable
  2. Sticky and NON-Sticky sessions
  3. Session timeout in ASP.NET
  4. Authentication: JWT usage vs session
  5. How to use my own custom session value in WordPress?
  6. Destroy user sessions based on user ID
  7. Enable WordPress Sessions
  8. Where is the wordpress session stored?
  9. Share session between my site and WP blog [closed]
  10. How to get outside login data (session) in WordPress?
  11. Session problem in PHP – trying to create a simple CAPTCHA
  12. Multi-instance WordPress usingn Memcached to handle sessions requests login every time a requests is handled by a different server
  13. Would this be achieveable?
  14. Using session in WP without trouble with the API REST
  15. Re-use Nonce in Repeating Event Signup Buttons
  16. Plugin is attempting to start a session with WordPress. WP Session Manager will not work! DomPdf
  17. Session is not working properly
  18. Retrieve parameter from url
  19. Session constantly resets variable
  20. sharing the same cookie session with multiple wordpress installs on the same domain?
  21. How to check if the user was redirected?
  22. Session stays active until page update in dashboard
  23. Parsing session info between WordPress and non-WordPress
  24. $_SESSION dosent’t work
  25. What are sessions? How do they work?
  26. How to use cURL to send Cookies?
  27. “Cannot send session cache limiter – headers already sent”
  28. PHP sessions that have already been started
  29. How to access Session variables and set them in javascript?
  30. Session variables not working php
  31. How reduce wordpress login session timeout time?
  32. Extend WordPress (4.x) session and nonce
  33. Disable WordPress 3.6 idle logout / login modal window / session expiration
  34. How to pass users back and forth using session data?
  35. Allow up to 5 Concurrent Login Sessions
  36. How should you hook a session_start() when authoring a plugin?
  37. How to fake a WordPress login?
  38. Does using set_transient() function can lead to MySQL problems?
  39. Clearing cookie on logout and session expiration
  40. Display message once per session to users with a specific role
  41. Why does $_SESSION only work when I am logged in?
  42. share login/logout sessions across two installs?
  43. Handling nonces for actions from guests to logged-in users
  44. How can I get logged in user’s session data from admin-ajax?
  45. Sessions not creating correctly in custom function
  46. How do I extend auto logout on idle OR redirect inline popup
  47. Session is not starting
  48. how to show posts of category random by session
  49. $_SESSION variables lost during OAuth callback
  50. Custom query form submission pagination
  51. update_user_meta() does not work
  52. pass-protected pages and posts not protected after enter them 1 time
  53. Disconnect automattically after X minutes
  54. How to implement a $_SESSION alternative in WordPress inside a theme without a plugin?
  55. User Session and Stored Cookies not get removed
  56. Check if user is logged in to site A when visiting site B
  57. Expired session error (admin) when I try to make a call to WooCommerce api [closed]
  58. Share WordPress login info with other PHP app
  59. Change the default 10-day expiration for the password protected pages cookie
  60. iframe does not store session/cookie when refresh parent
  61. PHP header() gives headers already sent
  62. Safe to start a php session on get_header action?
  63. Get my site session in wordpress?
  64. Unset session variable on page reload / setup but exclude AJAX
  65. Displaying “One Time” Notification in Plugins
  66. Run query_posts if SESSION is empty?
  67. Display if author page is author page of current user
  68. How do I add $_SESSION[”] to my wordpress page?
  69. Updating transient value frequently
  70. how do i change my website facebook login button to another text immediately user login? [closed]
  71. Custom $_SESSION expires too early
  72. Store and Change Session variable – PHP SESSION VARIABLE
  73. PHP session when called wp_ajax_nopriv
  74. WordPress Website with Login system
  75. Error when setting cookie
  76. Add session or cookie to remember last menu location
  77. Replacing a placeholder term with a session variable value in taxonomy filter
  78. Set cookie parameters on wp site – PHP not working?
  79. logout users with specific role after close browser tab
  80. Session management issues with WordPRess 404 Error page
  81. Plugin or ways to limit number of users logging in the website,
  82. Restricting wordpress login sessions for a web app
  83. End session screen not close automatically after login
  84. Correct user session/cookie handling with external site connection in wordpress
  85. PHP session not staying alive. headers already sent
  86. Requiring a Visitor to Enter a Password Each Time They visit a Page
  87. after logout session not destroy from server/website side
  88. Best hook for when a user session ends?
  89. Pass WordPress variable to the next page
  90. ajax polling with admin-ajax.php
  91. How to destroy all user sessions via WP-CLI
  92. PHP Session Variable to WordPress Error
  93. Session variables lost during Ajax calls – WordPress – Sage Starter Theme
  94. Why WordPress not logout after I have close my browser?
  95. Can’t redirect to previous page after using GET
  96. SHORTINIT and sessions
  97. User not logged first time I open the homepage
  98. Where are Sessions are being started? [closed]
  99. WordPress & PHP sessions
  100. How to limit user to login only once per session

Leave a Comment