[wp-trac] [WordPress Trac] #30264: Users should have a UI for managing sessions

WordPress Trac noreply at wordpress.org
Tue Dec 16 09:12:57 UTC 2014 

#30264: Users should have a UI for managing sessions
------------------------------+--------------------------
 Reporter:  jorbin            |       Owner:  johnbillion
     Type:  task (blessed)    |      Status:  reopened
 Priority:  normal            |   Milestone:  4.1
Component:  Users             |     Version:
 Severity:  normal            |  Resolution:
 Keywords:  has-patch commit  |     Focuses:
------------------------------+--------------------------
Changes (by nacin):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 This implementation can currently leak a session token when there is no
 actual need to do so. While cookies are HTTP Only, the current session
 token is available on profile.php via JavaScript. All we need to do is
 check if the current user is the user being edited, and then trash all
 other cookies. Otherwise it's also possible to log yourself out this way
 when it isn't designed like that. That's not a CSRF issue as you have a
 nonce also blocking this, but we can't be leaking a piece of a cookie like
 this.

 I'm making a few other code changes:
  * Re-use the `update-user_{$id}` nonce. No need for a separate nonce here
 at this time.
  * Don't localize any values, we can get them from the form (especially
 since we're reusing a nonce).
  * Use `wp_verify_nonce()` rather than `check_ajax_referer()` because
 there's no benefit to `check_ajax_referer()`, and the double false
 actually tripped me up pretty badly.
  * Use `wp.ajax` from `wp-util.js` rather than parsing the response from
 `wp_send_json()` ourselves.
  * I'm giving our error/success messages the proper padding by overriding
 a margin style on `.form-table td p`.

 Finally, I'm making a last-minute UX change:

 More than a few testers have wondered why there's no button on the profile
 page. This may be because we mention this on the about page. It also may
 be because someone might tell someone else "go here and do that" and the
 next thing they're going to say is "I don't understand, where is it?"
 rather than think "OK, I'm good." markjaquith and I both think there
 should be a disabled button normally. The language is "You are only logged
 in at this location."

 (Note this uses `count() === 1`, not `count() <= 1`, because if sessions
 are for some reason disabled, we shouldn't show anything.)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/30264#comment:18>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list