[wp-trac] [WordPress Trac] #60090: Double login with cloned wordpress instance

WordPress Trac noreply at wordpress.org
Tue Dec 19 02:23:53 UTC 2023 

#60090: Double login with cloned wordpress instance
-------------------------+-------------------------------------------------
 Reporter:  vchn         |       Owner:  (none)
     Type:  defect       |      Status:  new
  (bug)                  |
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:  6.4.2
 Severity:  major        |  Resolution:
 Keywords:               |     Focuses:  administration, performance,
                         |  privacy
-------------------------+-------------------------------------------------

Comment (by vchn):

 Hi @dd32
 + No COOKIE_DOMAIN set in the config
 + We dont use any authentication plugin.
 + Now I can easily reproduce same issue:
 1. Log out both websites. Close browser
 2. Open browser, Log into "staging" site.
 3. Open new tab or new browser window (in normal mode, not Incognito).
 Live site now also logged in with the same user.
 Attach is full plugins list.
 Image here https://www.evernote.com/shard/s271/sh/1b5f7a5c-
 cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png

 Replying to [comment:1 dd32]:
 > Hi @vchn,
 >
 > Can you confirm the following details?
 >  - You're not using any Authentication plugins
 >  - The cloned site is using a cloned database
 >  - The user is logged out before the cloning happens
 >  - Single or Multisite?
 >  - Is `COOKIE_DOMAIN` defined in the config?
 >
 > This sounds like the expected behaviour to me at first. The URL is not
 part of the authentication, but is used for the cookies. If the cookies
 "leak" from the parent domain to the child staging domain (Which your
 browser is in control of - affected by `COOKIE_DOMAIN` constant too) and
 either a) The database is shared or b) The login occurs before the
 database is cloned, then with an exact replica of the main site a session
 would be able to be valid on both sites if all of the auth tokens in the
 database and configuration are the same.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60090#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list