I've noticed that, for example, WordPress appends what seems to be some kind of hash or random string to its wordpress_logged_in cookie, making a cookie name of, for example, wordpress_logged_in_abcdef1234, which makes accessing it from within a script less than straightforward.
Could someone please explain why this is done?
The appended string is a hash of the site URL; refer to Understanding Wordpress Auth Cookies.
1) Cookie ID
What I’m calling the auth “cookie ID” is defined in the file default-constants.php:
if ( !defined('AUTH_COOKIE') ) define('AUTH_COOKIE', 'wordpress_'.COOKIEHASH);It’s simply a concatenation of “wordpress_” and a value called COOKIEHASH which is also defined in the same file:
if ( !defined( 'COOKIEHASH' ) ) { $siteurl = get_site_option( 'siteurl' ); if ( $siteurl ) define ( 'COOKIEHASH', md5( $siteurl ) ); else define ( 'COOKIEHASH', '' ); }As you can see, COOKIEHASH is nothing more than an MD5 of your site’s URL.
As to why this is done, it probably relates to allowing multiple wordpress sites to share a domain name (with the sites in different sub-directories). Without a unique identifier, the sites would keep overriding each others' cookies.