Andrew Nacin nacin@ replied: """ WordPress does not have session management on the server-side. Currently: * Cookies are only valid as long as they were originally designed to expire. They may be replayed until they timeout. * They are hashed so they cannot be used after their original intended expiration. * In general one should be using the WordPress admin over SSL if leaking a cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL.
WordPress takes sensible precautions with these cookies: * When running over SSL WordPress ensures to set secure flag on cookies * It sets the HTTPOnly flag so that they are not accessible by javascript * It invalidates the cookies in the browser. We are looking into some potential changes to our authentication system to allow for explicit session termination, but do not have a timeline at this time. """ So this is not yet fixed in upstream. How should we proceed? -- Henri Salo
signature.asc
Description: Digital signature
