[wp-trac] [WordPress Trac] #27212: Authentication Check on wp-login.php
WordPress Trac
noreply at wordpress.org
Wed Feb 26 06:11:51 UTC 2014
#27212: Authentication Check on wp-login.php
-----------------------------------------+-----------------------------
Reporter: kenmoini | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 3.8.1
Severity: normal | Keywords:
Focuses: administration, performance |
-----------------------------------------+-----------------------------
Running 3.8.1 on a few sites that I've tested this with. At first I
thought it was the OpenID plugin I was using, but I tested this issue with
a vanilla WP installation as well and reproduced the same effect.
/wp-login.php will render the login form even when a user is already
authenticated. I added these following lines to the /wp-login.php page
injected at line 24:
{{{
if ( is_user_logged_in() ) {
header("Location: /");
}
}}}
This will redirect the user to the main site root if the user is already
authenticated and logged in while attempting to request /wp-login.php.
When writing my own authentication mechanisms, I would never allow a user
to reuse the login form when they're already authenticated. Allows for
more issues to be produced as well as potential session vulnerabilities.
I figure this should be a resolved issue for WP as well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27212>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list