[wp-trac] [WordPress Trac] #60801: New sessions are created when user authenticates but there already are active sessions

WordPress Trac noreply at wordpress.org
Mon Mar 18 18:28:42 UTC 2024 

#60801: New sessions are created when user authenticates but there already are
active sessions
------------------------------------+-----------------------------
 Reporter:  robert681               |      Owner:  (none)
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  6.4.3
 Severity:  normal                  |   Keywords:
  Focuses:  administration          |
------------------------------------+-----------------------------
 **The problem:** When a user logs in to WordPress a new session is
 created. If the user opens a new browser tab and navigates to website/wp-
 admin, the user does not need to authenticate because of the session
 cookies are saved in the browser, which is the expected behaviour. The
 same happens even when the user closes the browser completely and reopens
 it within the duration of that session.

 However, if the user navigates to the URL *website/wp-login.php* on the
 website they are already logged in, the user is presented with a login
 page, and upon authenticating WordPress creates a new session and new
 cookies etc, instead of "retrieving" the existing logged-in session.

 **How to reproduce:**

 1. Log in to a WordPress website
 2. Open a new browser tab on the same browser (you can close the previous
 one)
 3. Navigate to the login page of the same website you are already logged
 in to: *website/wp-login.php*
 4. Log in

 At this point there are two different sessions for the same user in the
 database and in the browser the user has multiple sets of cookies for the
 different sessions.

 **The issues this causes:**
 1. Excessive amount of unnecessary session data in the database. We've
 seen some large websites with tens of thousands of session entries in the
 database.
 2. Site admins who try to control / limit / manage the number of
 simultaneous user sessions with third party plugins end up having a lot of
 problems, such as locking out legit users etc

 **Possible solution?:** There are a few possible solutions, however, the
 easiest one we can think of is to check for session cookies in the users'
 browsers whenever they access the *wp-login.php*, and if there are,
 retrieve that session.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60801>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list