Security review of authentication tokens

Security review of authentication tokens

Author: WordPress.org

Date: October 25, 2019 

Category: Make WordPress Meta

For the Five for the Future project, I ended up writing some custom code for authentication tokens which are stateful, have (cryptographically secure) random values, and can only be used once.

Those tokens will be used by companies to manage their pledges, so if an attacker was able to obtain a token, they’d be able to change a company’s name, logo, description, etc to something inappropriate, remove contributors from the pledge, and deactivate the pledge entirely.

The reasons why authentication tokens were chosen is documented in the commit, and additional background is available in issue #34 and PR #46.

Does

Click here to read the full article in a new tab!


Security review of authentication tokens



Security review of authentication tokens

Servebolt is next level high performance hosting.

While others try to add more components to their hosting to make it go faster, we decided to build our hosting cloud fast from the ground up. We did so by stripping out everything we knew was deadweight.


Skip to content