[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login
WordPress Trac
noreply at wordpress.org
Tue Nov 28 00:20:06 UTC 2017
#42481: Test cookie secure flag prevents non-secure login
------------------------------------+------------------------------
Reporter: RavanH | Owner:
Type: defect (bug) | Status: new
Priority: low | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.9
Severity: normal | Resolution:
Keywords: | Focuses:
------------------------------------+------------------------------
Changes (by RavanH):
* version: => 4.9
Comment:
Take for instance the LOGGED_IN_COOKIE secure flag handling. In
pluggable.php line 833 it sais:
{{{#!php
// Front-end cookie is secure when the auth cookie is secure and the
site's home URL is forced HTTPS.
$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option(
'home' ), PHP_URL_SCHEME );
}}}
Although this seems perfectly logical, there is a problem when on
multisite the primary site is on https, but when a new subdomain blog is
created it uses http. The new site owner will then visit his new blog but
no be logged in on the front end because the logged_in_cookie has the
secure flag set when the user logged in on the main site (when creating
his/her new account)
This problem is similar to the test_cookie but more persistent because the
logged in cookie does not expire after one session. A nasty result of this
what can be seen in the second half of the screen cast posted above.
The user will first have to go back to the main site, log out there, then
go back to his sub-site, and log back in there... Not very intuitive.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42481#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list