[wp-trac] [WordPress Trac] #47088: Visting wp-login.php whilst logged in logs you out
WordPress Trac
noreply at wordpress.org
Thu Oct 5 01:20:35 UTC 2023
#47088: Visting wp-login.php whilst logged in logs you out
------------------------------------+------------------------------
Reporter: lev0 | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 3.0
Severity: normal | Resolution:
Keywords: | Focuses:
------------------------------------+------------------------------
Comment (by rajinsharwar):
Following on this old reported bug, as per my suggestion, this does of
course seem to be an issue to me. One of the main reasons is, using this,
any user can be logged out simply by visiting a URL, no nounces were
needed to make any current user log out. Anyone can make any user logout
form his current state by just making him visit the URL.
**My Proposal:**
Let's continue displaying the login page whenever that URL
"https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com
%2Fwp-admin%2Fadmin.php%3Fpage%3Dfoo-bar&reauth=1" is visited. But,
visiting that URL with the ''reauth'' flag being set shouldn't clear out
the cookies. Instead, we can follow here the approach that's decided for
#14949 whenever anyone wants to visit the URL while being logged in.
Requesting suggestions from all in this case. @SergeyBiryukov @swissspidy
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47088#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list