It's been a couple of weeks since Kalamuna ushered in a new era of peace and harmony by running Wordpress on Pantheon. However, even as the people rejoiced in celebration of this momentous discovery, not all was right in the CMS kingdom. Was this blissfull new marriage between Pantheon and Wordpress in danger?
Turns out no, but the hook was too much to resist.
Although Wordpress runs admirably on Pantheon, we did encounter one hiccup during the installation: the Wordpress admin interface was inaccessible. It turns out that Varnish strips out all but a few cookies, including those that Wordpress uses to recognize that a user is logged in. You can get around this issue by prefixing the Wordpress cookies with "SESS", as Pantheon's VCL file accepts all cookies that begin with SESS. This is the method that Alec shares in his article.
Despite the utility of this method, I began to question the general method Wordpress uses for session handling. Wordpress stores user authentication and login information in a series of cookies. Generally, it is not considered a best practice to put sensitive information inside cookies, but Wordpress assures us that their approach is secure. Drupal, on the other hand, provides custom handlers for PHP's native session handling. These custom handlers store user sessions in a database table and expose only a session ID, as opposed to all the hashed user login information revealed by Wordpress.
Kalamuna thinks that the Drupal session handling is probably more secure and performant than the Wordpress method. As a result we are happy to announce that we have written a plugin that removes the cookie based system that Wordpress uses in favor of a Drupal-like session based system.
DISCLAIMER: We think that this plugin is a good proof of concept but should still be considered an alpha release. If you are interested in helping get this plugin ready for production please contact us.