[wp-hackers] Understanding some interactions between cookies, sessions, nonces, multisite...
david at wordshell.net
Mon Sep 22 12:28:28 UTC 2014
I just spent a *very* dull few hours tracing a problem, whereby
wp_create_nonce() returned a nonce which wp_verify_nonce() (running via
AJAX) did not accept.
This happened as follows:
1) the site was a sub-folder based multisite
2) the nonce was created by a page in the network dashboard, at
wp-admin/network/settings.php, and output in some JS on the settings page.
3) the ajaxurl JS variable being output by wp-admin/admin-header.php
goes via the main site which in this case lived at /main, and thus
ajaxurl was set to wp-admin/main/admin-ajax.url
4) The browser had a different wordpress_logged_in_(hex) cookie value
for /main than for /. i.e. Two separate cookies existed in the browser.
(The value of (hex) was the same - i.e. neither cookie lookup was empty).
5) This resulted in wp_get_session_token() returning a different value
when the nonce was checked (via AJAX, which got the cookie whose path
was set to /main) compared to when it was set (via the network dashboard
page, which got the cookie whose path was set to /).
I cleared all my cookies, and logged in via /wp-login.php again. Same
happened. Both cookies returned.
This site had this in its wp-config.php:
After removing those lines, clearing cookies, and logging in again,
there was only one cookie, and everything worked.
This only breaks things on recent WP versions where
wp_get_session_token() is used in nonces.
I'm familiar with AJAX and nonces, but WP's login stuff is not something
I'm familiar with.
The questions I don't understand the answers too are:
1) Why my customer might have had those defines in his wp-config.php, and
2) Why this breaks things in this way, and
3) Is this a bug?
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net
More information about the wp-hackers