Jili711 casino login register download,Okada Online Casino App.Recharge Every day and Get Bonus up-to 50%!

markussss
(@markussss)

8 months ago

I recently came across this post that explains why you should always log out. Basically because of cookie theft, active sessions can be stolen and used. There is no need for the attacker to actually log in, as he/she will be already logged in due to the active session. Not even 2FA will be of help in that case.

https://speckyboy.com/always-log-out-of-wordpress/

Is your plugin the solution to that problem? Or am I missing something here?

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author Deepen
(@j_3rk)

8 months ago

Hi,

There may be various ways to do this – Although, I do not imply that this plugin will be the solution to your concern but this adds a basic security. Basic security as in, logging out sessions that are inactive for defined period of time.

Plugin uses logout functions provided by WordPress core itself.

TJR: The easiest way is to remember to log out. That’s it! When you log out you expire the cookie. If you just close your browser window, it leaves the cookie active. So, if it’s stolen, it can be used by anyone.
Inactive logout does logout the session completely after certain defined duration which satisfies this condition. Please note that free version of Inactive Logout does not logout session when a browser window is closed.

Thread Starter markussss
(@markussss)

7 months, 4 weeks ago

Thanks a lot .. I understand, as soon as the tab is closed, your plugin can’t “virtually click the logout button” anymore. But the pro version can do it, maybe somehow based on wp-cron

From what I read, the solution is either ALWAYS logging out manually, or using your pro plugin
Dan Knauss
(@dpknauss)

4 months, 1 week ago
@markussss, I have been looking over plugins like this to see how they might defend against stolen cookies, but I do not think they are likely to help except for the hard limits set on session cookies. Here’s why:
- Inactivity is difficult to assess, and doing it with client-side code makes it vulnerable to manipulation by any compromised device whose sessions are being stolen.
- Concurrency is difficult to assess because IP addresses can’t be reliably identified, and a stolen session can be used in combination with IP spoofing. Blocking concurrent sessions is a way to prevent password sharing, not session theft, and this is better done with 2FA. There are also lots of technical problems that can result from trying to lock a session to an IP. See https://www.akamai.com/blog/developers/why-you-shouldn-t-tie-ip-addresses-to-tokens, https://adam-p.ca/blog/2022/03/x-forwarded-for/, and https://snicco.io/blog/how-to-safely-get-the-ip-address-in-a-wordpress-plugin H/t: @snicco
- This reply was modified 4 months, 1 week ago by Dan Knauss. Reason: wrong url

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.