Skip to content

Instantly share code, notes, and snippets.

@cubehouse

cubehouse/gist:7f3ee1b243a1f54bd49f

Created September 8, 2014 19:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cubehouse/7f3ee1b243a1f54bd49f to your computer and use it in GitHub Desktop.
Save cubehouse/7f3ee1b243a1f54bd49f to your computer and use it in GitHub Desktop.
Download ZIP
Changes in WordPress 4.0 Authentication Cookie Structure (MD5 to Sha256)
Raw
gistfile1.diff
@@ class WPAuth
// Validate the hash contained within the cookie
$pass_frag = substr($user['user_pass'], 8, 4);
- $key = $this->wp_hash($user['user_login'].$pass_frag.'|'.$cookie[1], 'logged_in');
- $hash = hash_hmac('md5', $user['user_login'].'|'.$cookie[1], $key);
+
+ $key = $this->wp_hash($user['user_login'].'|'.$pass_frag.'|'.$cookie[1].'|'.$cookie[2], 'logged_in');
+ $hash = hash_hmac('sha256', $user['user_login'].'|'.$cookie[1].'|'.$cookie[2], $key);
- if($hash == $cookie[2])
+ if($hash == $cookie[3])
{
return $user['ID'];
}
@cubehouse
Copy link
Author

Finally found change in WordPress session cookie here:
https://core.trac.wordpress.org/ticket/20276
WordPress/WordPress@654e46f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment