I’m trying to create a WordPress plugin that restricts access to content based on a custom username/password database.
For the authentication I’m creating 2 cookies after the user logs in – one with the user name and another with the hash(created using WP’s PasswordHash library) of the username+'secret'.
For the ‘secret’, I was planning on using one of the constants from wp-config.php, for example “LOGGED_IN_SALT”.
My question is: Is it a security risk to used LOGGED_IN_SALT? Could I compromise the security of the WordPress installation if I do this? Would one of the other constants be a better choice? Should I avoid using any of these constants?
Any opinions welcome!
Thanks
Do not use cookie for that, use session instead. If you use cookie, it can be change by client, and also it can be stolen through xss vulnerability. You can get user data from session, and validate restricted access with user data fetched from session.
When you go to restricted content, get user data from session;