Ok i’ve found the solution.
In fact, as i haven’t noticed, there is always the hashed mdp, but for now, the logged_in cookie is structured like this :
%login%|%timeout%|%sessionId%|%passhached%
instead of :
%login%|%timeout%|%passhached%
This is like this since wordpress 4.0, and the wp_session_cookie integration, the auth method is the same that before but there is just 2 change :
- the sessionid is introduced in the cookie and the key calculation
- the logged_in cookie encryption is sha256 or if not possible sha1
So there is a scheme of the encryption process
KEY = md5_HMAC(%login%|%caracter 8-12 of the passhached in database%|%timeout%|%sessionId% , LOGGED_IN_KEY.LOGGED_IN_SALT);
RESULT = sha256_HMAC(%login%|%timeout%|%sessionId% , KEY);
// RESULT = sha1_HMAC(%login%|%timeout%|%sessionId% , KEY); only if sha256 is not supported
And for now, to approve a connexion, the logged_in_cookie’s pass hached need to be same as RESULT
Related Posts:
- Can someone explain what wp_session_tokens are, and what are they used for?
- Log in from one wordpress website to another wordpress website
- Is there any way to check for user login and send him to login?
- How to store username and password to API in wordpress option DB?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- Nonces can be reused multiple times? Bug / Security issue?
- WordPress and PHP Sessions – Security and Performance
- What is the difference between esc_html and wp_filter_nohtml_kses?
- Init action hook running late after PayPal’s return url?
- How to check WordPress website username and password is correct
- Nonce in settings API with tabbed navigation
- Problems after wp_set_password() containing an apostrophe
- Escaping built-in WP function return strings
- What is the difference between strip_tags and wp_filter_nohtml_kses?
- WP Cron doesn’t save or in post body
- Two-step login process – Is it possible?
- How do I approach removing menu items on the fly based on settings in my plugin?
- WordPress restrict plugin file direct access
- Plugin development: is adding empty index.php files necessary?
- Confusion on WP Nonce usage in my Plugin
- Coding a plugin on WordPress; when should I sanitize? [duplicate]
- Correct way check nonce (security) using old Options API
- Why do I need to check if wp_nonce_field() exists before using it
- WordPress security issue to output data from user input from theme option form
- Proper way to pass credentials in a custom login form to avoid “headers already sent”
- External Authentication, session_tokens not destroyed on logout
- How to customize login process
- Secure Pages Best Practice
- wp_insert_user() function password never match
- Does wp_login only trigger before an user signs in into the admin panel?
- Securing/Escaping Output of file content – reading via fread() in PHP
- Logout users upon login, based on caps/role?
- Is it possible to make sure that only my plugins output is shown to the enduser?
- Password field is empty when using wp_signon();
- best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
- Video Security just like facebook [closed]
- Plugin Development for registered users
- Is disabling test_form in wp_handle_upload a security concern?
- How to connect my wordpress plugin to a remote database securely?
- wp_nonce_field displaying twice
- Enqueue script globally
- WP Multisite login not working on one subsite. Possibly cookies/ history issue?
- Is it necessary to do validation again when retrieving data from database?
- Checking a WordPress for OWASP top 10 vulnerabilities [closed]
- How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
- add_submenu_page hooked function must explicitly check user capabilities – why?
- Are there any security risks when submitting data-attribute data through AJAX?
- Why would you use esc_attr() on internal functions?
- How do I validate extra pin field on my WordPress login form page?
- Is it possible to use WP-CLI in a plugin (or theme)?
- Secruity Questions on a timer
- How to redirect home page to another page after login for all user?
- Using HTML links within translatable string
- How can I save a password securely as a settings field
- How to share user data across multiple WordPress websites?
- Using password protection to load different page elements?
- HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
- Allowing duplicating users with same user_login and user_email
- How to Login a User inside a Plugin and Redirect to page?
- Using custom IDP with WP
- Hiding the WordPress login and password fields from login page
- How to store sensitive user data (passwords)
- How do I make secure API calls from my WordPress plugin?
- esc_attr() on hard coded string
- how to add security questions on wp-registration page and validate it
- redirect_to how to make it simply work with get parameter or similar?
- Experts opinions needed: How (in)secure is this approach?
- What is more secure checking capabilities of user or checking role of user in WordPress plugin development
- Multiple Users Logged In Causing Incorrect Account Returned
- Data Validation, dynamically generated fields (select for example)
- Get user logged in status from within a plugin. $current_user not defined
- Need edit profile link in the menu for logged in users
- Create a Custom Login System in WordPress [closed]
- how can I insert a link on login page
- user can login from single account detail from multiple locations(computer) at the same time [closed]
- esc_url, esc_url_raw or sanitize_url?
- function deactivate_plugins does not exist
- what’s the meaning of the field wp_capabilities in table wp_usermeta
- What is wrong with using add_option with Multisite instead of add_blog_option in a plugin
- How to modify post content before writing to database?
- $wp_filesystem returns NULL. What are the dependencies?
- Synchronize custom post type tags with WordPress default post type tags
- How do I add a filter to wp_list_categories() to make links nofollow?
- What is the best way to embed an JS App in a WordPress Page?
- add_rewrite_rule works in themes function php but when moved into plugin it stops working
- Custom Plugin theme filter
- WordPress publish_post hook not getting featured image and meta on first publish, but works on updating title
- How to add custom view links to wp-admin/post.php?
- Get post thumbnail in WP_Query
- wp_schedule_event not executing function call, even with add_action
- How to query a nested field in wordpress api using _fields param
- function add custom fields to media gallery
- Securing a plugin pop-up window
- using wordpress acf shortcods in tables goes outside the table
- Not able to Update database while creating a custom module
- How to load css file after a certain css file
- Deactivate Other Incompatible Plugin Upon Activation
- Can’t get query string in ajax call
- WP Cron registers hook without any action (does not call the function)