[wp-hackers] wp-login.php changes in 2.5

benchun ben at benchun.net
Fri Apr 11 16:53:54 GMT 2008


Oddly, it *does* work, but the user has to submit wp-login.php once first --
with any values -- so that the code can run.  Then if the user reloads their
original page request, they are logged in.  (It works because, in addition
to wp_authenticate, the plugin hooks check_passwords, so it overrides
everything that WP does with passwords.  This continues to work fine in
2.5.)  It really is just the order of operations change in wp-login.php that
we're trying to work around.


On Thu, Apr 10, 2008 at 4:11 PM, Viper007Bond <viper at viper007bond.com>
wrote:

> Passwords aren't MD5'ed anymore in the database (they are now salted and
> uber-hashed via phpass), so that plugin won't work as it is right now
> regardless.
>
> On Thu, Apr 10, 2008 at 11:46 AM, benchun <ben at benchun.net> wrote:
>
> > Hi everyone,
> > I noticed that login is handled a little differently in 2.5.  This
> caused
> > Daniel Westermann-Clark's http-authentication (
> > http://wordpress.org/extend/plugins/http-authentication/ ) plugin to
> > break,
> > but just slightly.  Background: The purpose of the plugin is to check if
> > the
> > user is already authenticated by looking for the REMOTE_USER environment
> > variable, as set by mod_auth or similar.  If yes, then it logs them in
> to
> > WP
> > with the same username by setting the cookie.
> >
> > The current implementation involves hooking wp_authenticate.  It looks
> > like
> > the order of operations in 2.5 in wp-login.php has changed.  Previously
> it
> > called wp_authenticate no matter what, and the plugin could do it's
> magic.
> > Now wp-login.php calls wp_signon() in wp-includes/user.php, which
> returns
> > before calling wp_authenticate if it wasn't passed any credentials.  So
> > why
> > not pass it credentials?  Well that sounds great.  How are we intended
> to
> > do
> > this cleanly?
> >
> > wp_signon() is not in pluggable.php and wp_login() is deprecated with a
> > note
> > to use wp_signin() -- a function that as far as I can tell does not
> exist
> > at
> > all.  Clearly someone had an idea for how logins should work, and these
> > changes were probably a good idea in some context.  Were they
> implemented
> > completely?  Can anyone point me at documentation for these changes or
> > give
> > a suggestion as to how to fix dwc's plugin?
> >
> > Thanks in advance,
> > Ben
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list