Ok i’ve found the solution.
In fact, as i haven’t noticed, there is always the hashed mdp, but for now, the logged_in cookie is structured like this :
%login%|%timeout%|%sessionId%|%passhached%
instead of :
%login%|%timeout%|%passhached%
This is like this since wordpress 4.0, and the wp_session_cookie integration, the auth method is the same that before but there is just 2 change :
- the sessionid is introduced in the cookie and the key calculation
- the logged_in cookie encryption is sha256 or if not possible sha1
So there is a scheme of the encryption process
KEY = md5_HMAC(%login%|%caracter 8-12 of the passhached in database%|%timeout%|%sessionId% , LOGGED_IN_KEY.LOGGED_IN_SALT);
RESULT = sha256_HMAC(%login%|%timeout%|%sessionId% , KEY);
// RESULT = sha1_HMAC(%login%|%timeout%|%sessionId% , KEY); only if sha256 is not supported
And for now, to approve a connexion, the logged_in_cookie’s pass hached need to be same as RESULT
Related Posts:
- Can someone explain what wp_session_tokens are, and what are they used for?
- Log in from one wordpress website to another wordpress website
- Is there any way to check for user login and send him to login?
- How to store username and password to API in wordpress option DB?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- Nonces can be reused multiple times? Bug / Security issue?
- WordPress and PHP Sessions – Security and Performance
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Init action hook running late after PayPal’s return url?
- How to check WordPress website username and password is correct
- Nonce in settings API with tabbed navigation
- Problems after wp_set_password() containing an apostrophe
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WP Cron doesn’t save or in post body
- Two-step login process – Is it possible?
- How do I approach removing menu items on the fly based on settings in my plugin?
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Correct way check nonce (security) using old Options API
- Why do I need to check if wp_nonce_field() exists before using it
- WordPress security issue to output data from user input from theme option form
- Proper way to pass credentials in a custom login form to avoid “headers already sent”
- External Authentication, session_tokens not destroyed on logout
- How to customize login process
- Secure Pages Best Practice
- wp_insert_user() function password never match
- Does wp_login only trigger before an user signs in into the admin panel?
- Securing/Escaping Output of file content – reading via fread() in PHP
- Logout users upon login, based on caps/role?
- Is it possible to make sure that only my plugins output is shown to the enduser?
- Password field is empty when using wp_signon();
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Plugin Development for registered users
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- Enqueue script globally
- WP Multisite login not working on one subsite. Possibly cookies/ history issue?
- Is it necessary to do validation again when retrieving data from database?
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- How do I validate extra pin field on my WordPress login form page?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- How to redirect home page to another page after login for all user?
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- How to share user data across multiple WordPress websites?
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- Allowing duplicating users with same user_login and user_email
- How to Login a User inside a Plugin and Redirect to page?
- Using custom IDP with WP
- Hiding the WordPress login and password fields from login page
- How to store sensitive user data (passwords)
- How do I make secure API calls from my WordPress plugin?
- esc_attr() on hard coded string
- how to add security questions on wp-registration page and validate it
- redirect_to how to make it simply work with get parameter or similar?
- Experts opinions needed: How (in)secure is this approach?
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Multiple Users Logged In Causing Incorrect Account Returned
- Data Validation, dynamically generated fields (select for example)
- Get user logged in status from within a plugin. $current_user not defined
- Need edit profile link in the menu for logged in users
- Create a Custom Login System in WordPress [closed]
- how can I insert a link on login page
- user can login from single account detail from multiple locations(computer) at the same time [closed]
- esc_url, esc_url_raw or sanitize_url?
- how to works woocommerce cart hash
- How do I debug an error that a plugin is causing?
- Adding an external stylesheet to a plugin
- Ajax +wordpress onClick link redirect to new page and create html content
- WP_NAV_MENU filter targets all menus
- Clean way to initialize plugin in newly-added site when plugin has been network activated?
- Get section of input passed to the sanitize_callback
- wp_ prefix changed. What is the way to change so any prefix is understood?
- If $var is empty, return 404.
- How to replace settings in WordPress plugin from a theme
- Forward an old url rewrite scheme to a new one?
- Use options to control jQuery plugin
- Save temporary registration data
- Including template in shortcodes
- Activate / Deactivate plugin
- Is there a WordPress plugin to design WebGL? [closed]
- $wpdb in php 5.5
- how to display a string in admin_notices hook from a class plugin
- How to add a route?
- Create an user on external database
- Should I put my plugin javascript inline?
- Adding Dynamic Stylesheet
- Form submission to another page returning 404 error [duplicate]