[wp-trac] [WordPress Trac] #36317: Introduce a cookie prefix default constant

WordPress Trac noreply at wordpress.org
Thu Mar 24 02:15:18 UTC 2016


#36317: Introduce a cookie prefix default constant
------------------------------------+------------------------------
 Reporter:  johnjamesjacoby         |       Owner:
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  2nd-opinion             |     Focuses:
------------------------------------+------------------------------
Description changed by johnjamesjacoby:

Old description:

> Right now, all of WordPress's cookies are prefixed with the same
> `wordpress` namespace. A problem arises with `advanced-cache.php` caching
> solutions that load before `default-constants.php` is included, where the
> cookie prefix cannot be guessed.
>
> The current work around is to stab at each cookie individually:
>
> {{{
>
> // Auth cookie
> if ( defined( 'AUTH_COOKIE' ) && ( $this->cookie === AUTH_COOKIE ) ) {
>         return true;
> }
>
> // User cookie
> if ( defined( 'USER_COOKIE' ) && ( $this->cookie === USER_COOKIE ) ) {
>         return true;
> }
>
> // Logged-in cookie
> if ( defined( 'LOGGED_IN_COOKIE' ) && ( $this->cookie ===
> LOGGED_IN_COOKIE ) ) {
>         return true;
> }
> }}}
>
> And to special case the test cookie, like:
>
> {{{
> // Generic 'wordpress' cookies (that are not test cookies)
> if ( ( substr( $this->cookie, 0, 9 ) === 'wordpress' ) && ( $this->cookie
> !== 'wordpress_test_cookie' ) ) {
>         return true;
> }
> }}}
>
> But without a known and trusted cookie prefix, it's still an
> unpredictable environment.
>
> -----
>
> I'd like to re-propose an 8 year old issue (#6413) to introduce a new
> default constant to define a cookie prefix. This could turn the above
> snippet into something at least slightly more sane, like:
>
> {{{
> // Generic 'wordpress' cookies (that are not test cookies)
> if ( defined( 'COOKIEPREFIX' ) ) {
>         $len = strlen( COOKIEPREFIX );
>         if ( substr( $this->cookie, 0, $len ) === COOKIEPREFIX ) && (
> false !== strpos( $this->cookie, 'test_cookie', $len ) ) {
>                 return true;
>         }
> }
> }}}
>
> A `COOKIEPREFIX` constant would also allow plugins an easy way to drop
> themselves inside of WordPress's cookie namespace, which will help them
> play more nicely in environments where WordPress is not the only
> application within the domain.

New description:

 Right now, all of WordPress's cookies are prefixed with the same
 `wordpress` namespace. A problem arises with `advanced-cache.php` caching
 solutions that load before `wp_cookie_constants()` is called, where the
 cookie prefix cannot be guessed.

 The current work around is to stab at each cookie individually:

 {{{

 // Auth cookie
 if ( defined( 'AUTH_COOKIE' ) && ( $this->cookie === AUTH_COOKIE ) ) {
         return true;
 }

 // User cookie
 if ( defined( 'USER_COOKIE' ) && ( $this->cookie === USER_COOKIE ) ) {
         return true;
 }

 // Logged-in cookie
 if ( defined( 'LOGGED_IN_COOKIE' ) && ( $this->cookie === LOGGED_IN_COOKIE
 ) ) {
         return true;
 }
 }}}

 And to special case the test cookie, like:

 {{{
 // Generic 'wordpress' cookies (that are not test cookies)
 if ( ( substr( $this->cookie, 0, 9 ) === 'wordpress' ) && ( $this->cookie
 !== 'wordpress_test_cookie' ) ) {
         return true;
 }
 }}}

 But without a known and trusted cookie prefix, it's still an unpredictable
 environment.

 -----

 I'd like to re-propose an 8 year old issue (#6413) to introduce a new
 default constant to define a cookie prefix. This could turn the above
 snippet into something at least slightly more sane, like:

 {{{
 // Generic 'wordpress' cookies (that are not test cookies)
 if ( defined( 'COOKIEPREFIX' ) ) {
         $len = strlen( COOKIEPREFIX );
         if ( substr( $this->cookie, 0, $len ) === COOKIEPREFIX ) && (
 false !== strpos( $this->cookie, 'test_cookie', $len ) ) {
                 return true;
         }
 }
 }}}

 A `COOKIEPREFIX` constant would also allow plugins an easy way to drop
 themselves inside of WordPress's cookie namespace, which will help them
 play more nicely in environments where WordPress is not the only
 application within the domain.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36317#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list