[wp-trac] [WordPress Trac] #31294: Customizer no longer gracefully handles session expiration

WordPress Trac noreply at wordpress.org
Sat Mar 21 16:20:44 UTC 2015

#31294: Customizer no longer gracefully handles session expiration
 Reporter:  westonruter   |       Owner:  ocean90
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  4.2
Component:  Customize     |     Version:  4.0
 Severity:  major         |  Resolution:
 Keywords:  has-patch     |     Focuses:
Changes (by westonruter):

 * keywords:  needs-patch => has-patch
 * owner:   => ocean90
 * status:  new => reviewing


 In [attachment:31294.2.diff], the Customizer login now updates nonces upon
 successful login.

 Prevent cheatin' message after re-authenticating in Customizer. If the
 user's session expired while in the Customizer, and they were prompted to
 re-authenticate inside the Preview, before this the Customizer would throw
 up a cheatin message because the nonce used to get request the preview or
 to save the settings was tied to the user's previous session which is no
 longer valid.

 As noted by @ocean90, the regression started in 4.0. I see that the
 regression is due to the introduction of the user session tokens since the
 nonces are now tied to session tokens as opposed to user IDs, and thus
 they change with each re-login.

 This is a nasty bug because it can result in a user losing their changes,
 and getting an unhelpful cheatin' message to boot.

Ticket URL: <https://core.trac.wordpress.org/ticket/31294#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list