What is the purpose of the “COOKIEHASH” constant?

  • Hey!

    I’m developing a plugin that makes use of cookies and I looked at core WP code for guidelines on how to make cookies work nicely with WP (given that there can be multisite installations and such). I came across the COOKIEHASH constant which is used in names of a lot of cookies but I can’t guess the exact purpose of suffixing cookie names with it.

    One idea that I had was that this is used to work with multisite installations, but most of the cookies (if not all) also have the setcookie() “path” and “domain” parameters set, so this shouldn’t be an issue on multisite installations.

    The other idea was to make it a bit harder for attackers to guess the name of the cookie. While this would work for very basic attacks, since COOKIEHASH is a MD5 checksum of the site’s URL address, any attacks that would try to hack a site using cookies would take that into account.

    So what exactly is the purpose of COOKIEHASH? Maybe it’s something else than the above?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    I think you are correct, it is for multisite situations. You correctly observed that domain and path arguments should be adequate to separate various blogs, but I would hate to rely on those alone. For sites that use paths to differentiate different blogs, they all use the same domain, only the path is unique. So only the path distinguishes one blog from another. Relying on path alone strikes me as rather risky. I feel a lot better knowing a site URL hash is added to the tag to be sure.

    I’ve no idea if that is the thinking or if there is another purpose not apparent to us. Since no one else has ventured any thoughts so far, I figured some corroboration is better than none ??

    Thread Starter Waclaw Jacek

    (@waclawjacek)

    Thanks a lot for your input, @bcworkz! Why do you think simply relying on the path is rather risky?

    I would love to also hear on this from core WP devs. Maybe there’s something else to it?

    Moderator bcworkz

    (@bcworkz)

    The cookie values are sent from the client browser, thus are hackable and need to be considered as suspect. A bad actor could possibly use a malformed cookie to access blogs they have no business accessing. There are additional barriers preventing this I believe, but accepting cookie values without being able to confirm they have not been corrupted is a major chink in the armour. There are enough unknowable factors in the cookie hash to make correctly hashing a malformed path very unlikely.

    I’d love to hear additional thoughts by others too. Let’s see if anyone else wants to contribute.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘What is the purpose of the “COOKIEHASH” constant?’ is closed to new replies.

Tags